- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sat, 11 Sep 2021 09:30:02 -0700
- To: Justin Richer <jricher@mit.edu>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
> On Sep 11, 2021, at 5:01 AM, Justin Richer <jricher@mit.edu> wrote: > > Via can already be excluded by simply not signing it. Are you suggesting that we explicitly say that it should not be signed, for the reasons you mention? Unless the goal is to fail verification, signing Via is unwise because it is supposed to be changed by recipients as the message is received (usually before the message semantics are processed). I don't think I would go as far as making it a SHOULD NOT requirement, but I would never sign it myself. ....Roy
Received on Saturday, 11 September 2021 16:30:21 UTC