- From: Lucas Pardue <lucaspardue.24.7@gmail.com>
- Date: Mon, 13 Sep 2021 01:21:48 +0100
- To: Martin Thomson <mt@lowentropy.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 13 September 2021 00:23:11 UTC
On Mon, 13 Sep 2021, 01:08 Martin Thomson, <mt@lowentropy.net> wrote: > On Sun, Sep 12, 2021, at 02:30, Roy T. Fielding wrote: > > Unless the goal is to fail verification, signing Via is unwise because > > it is supposed to be changed by recipients as the message is received > > (usually before the message semantics are processed). I don't think I > > would go as far as making it a SHOULD NOT requirement, but I would > > never sign it myself. > > This almost obvious enough that writing it down is unnecessary :) > > In cases where intermediaries add information that needs to be > authenticated (asking why this might be is a worthwhile exercise), perhaps > they can copy the information to a header field that is specific to that > purpose. > "Via" had practical deployment problems enough as it is, without people trying to sign and validate it. I think special casing it in this draft is a nudge in the wrong direction. But I agree that maybe there is some merit in considering intermediary treatment of headers, CDN-Loop comes to mind. Cheers Lucas >
Received on Monday, 13 September 2021 00:23:11 UTC