W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Partial signatures on the Via header

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 13 Sep 2021 01:21:48 +0100
Message-ID: <CALGR9oa=U58P5M7WxMnO0GVf5yiy0Zh8bFgkbpCRuL3630L3bA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, 13 Sep 2021, 01:08 Martin Thomson, <mt@lowentropy.net> wrote:

> On Sun, Sep 12, 2021, at 02:30, Roy T. Fielding wrote:
> > Unless the goal is to fail verification, signing Via is unwise because
> > it is supposed to be changed by recipients as the message is received
> > (usually before the message semantics are processed). I don't think I
> > would go as far as making it a SHOULD NOT requirement, but I would
> > never sign it myself.
>
> This almost obvious enough that writing it down is unnecessary :)
>
> In cases where intermediaries add information that needs to be
> authenticated (asking why this might be is a worthwhile exercise), perhaps
> they can copy the information to a header field that is specific to that
> purpose.
>

"Via" had practical deployment problems enough as it is, without people
trying to sign and validate it. I think special casing it in this draft is
a nudge in the wrong direction. But I agree that maybe there is some merit
in considering intermediary treatment of headers, CDN-Loop comes to mind.

Cheers
Lucas

>
Received on Monday, 13 September 2021 00:23:11 UTC

This archive was generated by hypermail 2.4.0 : Monday, 13 September 2021 00:23:12 UTC