W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Partial signatures on the Via header

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 10 Sep 2021 15:22:05 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <73828A4B-CC3B-429D-907F-79304618957D@gbiv.com>
To: Justin Richer <jricher@mit.edu>
> On Sep 10, 2021, at 12:54 PM, Justin Richer <jricher@mit.edu> wrote:
> One of the foundational goals of the HTTP Message Signatures draft is that a signed message can be reasonably robust against expected transformations by intermediaries. The editors want some feedback from the experts in the community on a particular transformation: 
> It seems that a fairly common case is for an intermediary to add a Via header to a message as it’s passed through.

Yes, that's the entire purpose of the Via field. In particular, it describes the message path as it was received by that intermediary. It has no security or integrity purpose, whatsoever, since each intermediary has complete control over the field contents (including not sending them at all, replacing names with pseudonyms, etc.). A signature would be counterproductive.

I suggest that Via be excluded from your draft's message signature.

Received on Friday, 10 September 2021 22:22:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 10 September 2021 22:22:30 UTC