RE: Partial signatures on the Via header from Eric J Bowman on 2021-09-11 (ietf-http-wg@w3.org from July to September 2021)

From: Eric J Bowman <mellowmutt@zoho.com>
Date: Sat, 11 Sep 2021 05:26:56 -0700
To: "Justin Richer" <jricher@mit.edu>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <17bd4d333d9.ac3d56c081561.476159068268190075@zoho.com>

>

> I meant that's how it's used when it's used, not that it was required.

>
 
I understand that. But I'm not seeing a use case where it's reliable, unless control of intermediaries (intranet) is guaranteed. If the goal of your draft is robust messaging over the open Internet, I think you're barking up the wrong tree by signing Via headers, even *if* you could make it required.




I've only ever coded Via headers as an exercise in protocol pedantry, as a placeholder for accomplishing something useful down the road. But even validating messages between an origin server and a front-end cache on the same network can be achieved by other means. Via's nice in theory, but useless in practice...



-Eric


________________________________________ 
From: Eric J Bowman [mailto:mellowmutt@zoho.com] 
Sent: Friday, September 10, 2021 4:20 PM 
To: Justin Richer 
Cc: HTTP Working Group 
Subject: Re: Partial signatures on the Via header 
 
> 
> - It is additive in nature; intermediaries tack on themselves to the existing list (right?) 
> 
 
Many rural/3rd-world ISPs use intermediaries to inject adware on the last hop, without tacking themselves onto the Via list. 
 
-Eric

Received on Saturday, 11 September 2021 12:27:20 UTC