W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2022

Re: feedback on draft-ietf-httpbis-message-signatures-13

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 17 Oct 2022 18:27:05 +0200
Message-ID: <1942525e-0ea6-7519-4dd6-c2a9af04415b@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
On 2022-10-17 13:59, Julian Reschke wrote:
> On 17.10.2022 12:44, Anders Rundgren wrote:
>> +1
>>
>> Target URI and Method (as well as other data related to the message),
>> may equally well be put in the payload.  HTTP header signing is an
>> unnecessary complication.
>> ...
> 
> Can you elaborate? You might have a media type that allows adding a
> *copy* of that information, but that's not the same thing.

Hi Julian,
It is quite possible that I misunderstand what you write but I don't see a problem with having a copy of targetUri in the payload.
An RP may (depending on proxying etc) compare this data with the HTTP header counterpart and fail if there is a mismatch.

An additional advantage with this arrangement is that signed messages become serializable and thus can easily be stored in databases, embedded in other objects, etc.

Regards,
Anders

See "recipientUrl" in: https://cyberphone.github.io/doc/saturn/bank2bank-payment.html#4



> 
> Best regards, Julian
> 
Received on Monday, 17 October 2022 16:27:18 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:44:08 UTC