- From: Martin Thomson <mt@lowentropy.net>
- Date: Mon, 13 Sep 2021 10:04:10 +1000
- To: ietf-http-wg@w3.org
On Sun, Sep 12, 2021, at 02:30, Roy T. Fielding wrote: > Unless the goal is to fail verification, signing Via is unwise because > it is supposed to be changed by recipients as the message is received > (usually before the message semantics are processed). I don't think I > would go as far as making it a SHOULD NOT requirement, but I would > never sign it myself. This almost obvious enough that writing it down is unnecessary :) In cases where intermediaries add information that needs to be authenticated (asking why this might be is a worthwhile exercise), perhaps they can copy the information to a header field that is specific to that purpose.
Received on Monday, 13 September 2021 00:04:47 UTC