W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2022

Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 28 Oct 2022 18:26:58 +0200
Message-ID: <0563c8e6-ff81-7228-8373-e1bc9d9083d4@gmx.de>
To: ietf-http-wg@w3.org
On 28.10.2022 18:24, Julian Reschke wrote:
> On 27.09.2022 01:01, Mark Nottingham wrote:
>> ...
>
>
> <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.1> says:
>
>  > Unless overridden by additional parameters and rules, the HTTP field
> value MUST be canonicalized as a single combined value as defined in
> Section 5.2 of [HTTP].
>
> ...but later on it specifies...:
>
>  > Concatenate the list of values together with a single comma (",") and
> a single space (" ") between each item.
>
> ...which is inconsistent with Section 5.2's definition of "combined value":
>
>  >  When a field name is repeated within a section, its combined field
> value consists of the list of corresponding field line values within
> that section, concatenated in order, with each field line value
> separated by a comma.
>
> Not good. This message-signatures spec can likely work-around this by
> not referring to the definition of "combined field value" from 5.2 --
> but we may have to discuss this as an issue in the core spec (which goes
> on with an example where SP is indeed inserted, and Section 5.3 which
> explicitly allows that).
>
> Best regards, Julian

...but at the end of the day, the recipient of the digest can not assume
that intermediaries followed the same normalization requirements, when
the HTTP core specs make the additional SP optional.

Best regards, Julian
Received on Friday, 28 October 2022 16:27:13 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 28 January 2023 21:29:46 UTC