W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Partial signatures on the Via header

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 12 Sep 2021 04:17:10 +1200
To: ietf-http-wg@w3.org
Message-ID: <09fa8cf1-e677-287f-ea49-a339e95493fb@treenet.co.nz>
On 12/09/21 12:01 am, Justin Richer wrote:
> Via can already be excluded by simply not signing it. Are you suggesting that we explicitly say that it should not be signed, for the reasons you mention?
> 

That might be useful.

Amos

> -Justin
> ________________________________________
> From: Roy T. Fielding [fielding@gbiv.com]
> Sent: Friday, September 10, 2021 6:22 PM
> To: Justin Richer
> Cc: HTTP Working Group
> Subject: Re: Partial signatures on the Via header
> 
>> On Sep 10, 2021, at 12:54 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>> One of the foundational goals of the HTTP Message Signatures draft is that a signed message can be reasonably robust against expected transformations by intermediaries. The editors want some feedback from the experts in the community on a particular transformation:
>>
>> It seems that a fairly common case is for an intermediary to add a Via header to a message as itís passed through.
> 
> Yes, that's the entire purpose of the Via field. In particular, it describes the message path as it was received by that intermediary. It has no security or integrity purpose, whatsoever, since each intermediary has complete control over the field contents (including not sending them at all, replacing names with pseudonyms, etc.). A signature would be counterproductive.
> 
> I suggest that Via be excluded from your draft's message signature.
> 
> ....Roy
> 
> 
Received on Saturday, 11 September 2021 16:22:19 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 11 September 2021 16:22:24 UTC