W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2022

Re: feedback on draft-ietf-httpbis-message-signatures-13

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 17 Oct 2022 18:31:31 +0200
Message-ID: <774fe022-9ed8-c044-40ef-cca22c847e34@gmx.de>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, ietf-http-wg@w3.org
On 17.10.2022 18:27, Anders Rundgren wrote:
> On 2022-10-17 13:59, Julian Reschke wrote:
>> On 17.10.2022 12:44, Anders Rundgren wrote:
>>> +1
>>>
>>> Target URI and Method (as well as other data related to the message),
>>> may equally well be put in the payload.  HTTP header signing is an
>>> unnecessary complication.
>>> ...
>>
>> Can you elaborate? You might have a media type that allows adding a
>> *copy* of that information, but that's not the same thing.
>
> Hi Julian,
> It is quite possible that I misunderstand what you write but I don't see
> a problem with having a copy of targetUri in the payload.
> An RP may (depending on proxying etc) compare this data with the HTTP
> header counterpart and fail if there is a mismatch.
>
> An additional advantage with this arrangement is that signed messages
> become serializable and thus can easily be stored in databases, embedded
> in other objects, etc.
>
> Regards,
> Anders

Well, that would only work with certain media types. It's not a generic
solution.

Best regards, Julian
Received on Monday, 17 October 2022 16:31:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:44:08 UTC