Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

On 27.09.2022 01:01, Mark Nottingham wrote:
> ...

I started a review, and I'm finding mostly minor issues so far which
I'll summarize either later or create PRs for).

One thing that *might* be non-trivial is the handling of percent-escaping.

For instance, in

"Namely, an empty path string is normalized as a single slash /
character, and path components are represented by their values after
decoding any percent-encoded octets."

So consider:

POST /foo%2fbar HTTP/1.1

Unescaping %2f to "/" would yield a @path component value of


is that really intended? I believe we need to have a look at the
following cases:

- escaped characters that otherwise would delimit URI components (such
as "?" or "#")

- escaped characters that otherwise have a special role inside a
component (such as "/" in the path or "&" in a query)

- escaped characters that map to non-ASCII characters (do we care about
encoding schemes, and if so, which?)

- escaped characters that might otherwise be problematic (%00 for instance)

I'm not sure yet what the correct approach would be, but whatever it is,
it should be reflected in the examples.

Best regards, Julian

Received on Wednesday, 26 October 2022 17:39:42 UTC