Encodings for Signatures

I’ve put together a PR that should hopefully address the last few problems with encodings in signatures for both query parameters and header fields:


This does have a breaking change in how “@query-param” is handled, based on potential issues with the value of the decoded query parameter from the HTML URL specification (https://url.spec.whatwg.org/#urlencoded-serializing). Namely, it could include newlines. Instead of trying to use binary-wrapping or some other trick, I’m proposing we just lean on the existing percent-encoding that HTML URL spec includes. This also helps with systems that decode “+” and “%20” as a space, and could give verifiers headaches when dealing with the decoded value.

The PR includes additional examples of these cases.

Even though this is a breaking change, the editors believe that this is a bug-fix type of change that affects a very small portion of users of this feature, and so do not suggest that the document be returned to WGLC. We’d appreciate some feedback to this new method.

— Justin

Received on Wednesday, 12 April 2023 20:34:24 UTC