- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 17 Nov 2022 14:15:50 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <2F402476-B7FE-48E3-8708-5A4DB577C339@bblfish.net>
Hi, As I am implementing [Signing HTTP Messages](https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html) The test suite in the doc is pretty good, but more may be better here… One could perhaps collect a lot more corner cases by putting together a test suite. Such a suite could consist of a set of data in some format each consisting of * server context data (port, optional name, https or http) * a (request response) pair, max one of them being optional * a `Signature-Input` description * the resulting signature base * a signature, using one of the keys * whether the signature is valid, and if not why not (eg. the date specified is semantically invalid) Then one could discuss all kinds of corner cases, and come up with new test cases. That would allow one to collect difficult cases, with explanations as to why that is the correct result when it is not easy to see. It would also be good if there were a channel to discuss these cases, such as perhaps the IETF [Zulip Http Signature](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/Signing.20HTTP.20Messages) stream? If we can publicize it for implementors we may get some interesting feedback that way, without needing to bother the whole mailing list here. Here is a little question I have for example. The spec says in §2.2.5 that for a request ```HTTP CONNECT www.example.com:80 HTTP/1.1 Host: www.example.com ``` the `@request-target` attribute should have as value the content of the string "www.example.com:80" . Is that specific to `CONNECT`? What should the value be for? ```HTTP GET http://example.com:80/hello HTTP/1.1 ``` should it be "http://example.com:80/hello" or "http://example.com/hello" because the 80 is the default port for `http`. If I am asking myself questions here, I guess many other implementors will too, and they may come to different conclusions. It could also be useful to have a forum or DB where people can explain problems with intermediaries that comes with experience deploying this, so that people building specs on this could make informed choices of headers to sign. Henry Story PS. I have mostly completed my update with tests here: https://github.com/bblfish/httpSig/pull/12 https://co-operating.systems WhatsApp, Signal, Tel: +33 6 38 32 69 84 Twitter: @bblfish
Received on Thursday, 17 November 2022 13:16:17 UTC