Test Suite for Signature? Space to discuss corner cases? from Henry Story on 2022-11-17 (ietf-http-wg@w3.org from October to December 2022)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 17 Nov 2022 14:15:50 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <2F402476-B7FE-48E3-8708-5A4DB577C339@bblfish.net>

Hi,

As I am implementing [Signing HTTP Messages](https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html)

The test suite in the doc is pretty good, but more may be better here…
One could perhaps collect a lot more corner cases by putting together a test
suite.

Such a suite could consist of a set of data in some format each consisting of

* server context data (port, optional name, https or http)
* a (request response) pair, max one of them being optional
* a `Signature-Input` description
* the resulting signature base
* a signature, using one of the keys
* whether the signature is valid, and if not why not (eg. the date specified is
semantically invalid)

Then one could discuss all kinds of corner cases, and come up with new test cases.
That would allow one to collect difficult cases, with explanations as to why that
is the correct result when it is not easy to see.

It would also be good if there were a channel to discuss these cases, such as perhaps the IETF [Zulip Http Signature](https://zulip.ietf.org/#narrow/stream/225-httpbis/topic/Signing.20HTTP.20Messages) stream? If we can publicize it for implementors we may get some interesting feedback that way, without needing to bother the whole mailing list here.

Here is a little question I have for example. The spec says in §2.2.5 that for a request

```HTTP
CONNECT www.example.com:80 HTTP/1.1
Host: www.example.com
```

the `@request-target` attribute should have as value the content of the string "www.example.com:80" . Is that specific
to `CONNECT`? What should the value be for?

```HTTP
GET http://example.com:80/hello HTTP/1.1
```

should it be "http://example.com:80/hello" or "http://example.com/hello" because the 80 is the default port for `http`.

If I am asking myself questions here, I guess many other implementors will too, and they may come to different conclusions.

It could also be useful to have a forum or DB where people can explain problems with intermediaries that comes with experience deploying this, so that people building specs on this could make informed choices of headers to sign.

Henry Story

PS. I have mostly completed my update with tests here:
https://github.com/bblfish/httpSig/pull/12

https://co-operating.systems
WhatsApp, Signal, Tel: +33 6 38 32 69 84‬
Twitter: @bblfish

Received on Thursday, 17 November 2022 13:16:17 UTC