- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 10 Sep 2021 15:22:05 -0700
- To: Justin Richer <jricher@mit.edu>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
> On Sep 10, 2021, at 12:54 PM, Justin Richer <jricher@mit.edu> wrote: > > One of the foundational goals of the HTTP Message Signatures draft is that a signed message can be reasonably robust against expected transformations by intermediaries. The editors want some feedback from the experts in the community on a particular transformation: > > It seems that a fairly common case is for an intermediary to add a Via header to a message as it’s passed through. Yes, that's the entire purpose of the Via field. In particular, it describes the message path as it was received by that intermediary. It has no security or integrity purpose, whatsoever, since each intermediary has complete control over the field contents (including not sending them at all, replacing names with pseudonyms, etc.). A signature would be counterproductive. I suggest that Via be excluded from your draft's message signature. ....Roy
Received on Friday, 10 September 2021 22:22:28 UTC