- From: Mike Bishop <mbishop@evequefou.be>
- Date: Thu, 16 Sep 2021 18:55:46 +0000
- To: Martin Thomson <mt@lowentropy.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Can I suggest "is expected to be" rather than "might be"? Any header field *might* be altered by an intermediary. -----Original Message----- From: Martin Thomson <mt@lowentropy.net> Sent: Monday, September 13, 2021 5:41 PM To: ietf-http-wg@w3.org Subject: Re: Partial signatures on the Via header On Tue, Sep 14, 2021, at 07:30, Justin Richer wrote: > Jumping back on the top of the thread to summarize the next steps: > > This was some pretty clear and strong feedback, thanks everyone for > providing it. The editors will add a note about this header to the > security considerations section (namely, saying that it can’t really > be relied on) but will neither put a normative requirement nor a > special-cased field to support it. I think maybe you want a simple note, with Via only referenced as an example. That is: Any field that might be added to or altered by an intermediary might cause signatures to become invalid. This might be the case for Via, Forwarded-For, and CDN-Loop (or pick your own favourite examples).
Received on Thursday, 16 September 2021 18:56:00 UTC