Encodings for Signatures from Justin Richer on 2023-04-12 (ietf-http-wg@w3.org from April to June 2023)

From: Justin Richer <jricher@mit.edu>
Date: Wed, 12 Apr 2023 20:33:47 +0000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4250FC2F-FABC-44EC-94D8-942F592E3620@mit.edu>

I’ve put together a PR that should hopefully address the last few problems with encodings in signatures for both query parameters and header fields:

https://github.com/httpwg/http-extensions/pull/2505


This does have a breaking change in how “@query-param” is handled, based on potential issues with the value of the decoded query parameter from the HTML URL specification (https://url.spec.whatwg.org/#urlencoded-serializing). Namely, it could include newlines. Instead of trying to use binary-wrapping or some other trick, I’m proposing we just lean on the existing percent-encoding that HTML URL spec includes. This also helps with systems that decode “+” and “%20” as a space, and could give verifiers headaches when dealing with the decoded value.

The PR includes additional examples of these cases.

Even though this is a breaking change, the editors believe that this is a bug-fix type of change that affects a very small portion of users of this feature, and so do not suggest that the document be returned to WGLC. We’d appreciate some feedback to this new method.

— Justin

Received on Wednesday, 12 April 2023 20:34:24 UTC