- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sun, 12 Sep 2021 04:17:10 +1200
- To: ietf-http-wg@w3.org
On 12/09/21 12:01 am, Justin Richer wrote: > Via can already be excluded by simply not signing it. Are you suggesting that we explicitly say that it should not be signed, for the reasons you mention? > That might be useful. Amos > -Justin > ________________________________________ > From: Roy T. Fielding [fielding@gbiv.com] > Sent: Friday, September 10, 2021 6:22 PM > To: Justin Richer > Cc: HTTP Working Group > Subject: Re: Partial signatures on the Via header > >> On Sep 10, 2021, at 12:54 PM, Justin Richer <jricher@mit.edu> wrote: >> >> One of the foundational goals of the HTTP Message Signatures draft is that a signed message can be reasonably robust against expected transformations by intermediaries. The editors want some feedback from the experts in the community on a particular transformation: >> >> It seems that a fairly common case is for an intermediary to add a Via header to a message as it’s passed through. > > Yes, that's the entire purpose of the Via field. In particular, it describes the message path as it was received by that intermediary. It has no security or integrity purpose, whatsoever, since each intermediary has complete control over the field contents (including not sending them at all, replacing names with pseudonyms, etc.). A signature would be counterproductive. > > I suggest that Via be excluded from your draft's message signature. > > ....Roy > >
Received on Saturday, 11 September 2021 16:22:19 UTC