Re: draft-ietf-httpbis-digest-headers-11, "6.3. Usage in Signatures"

I've made https://github.com/httpwg/http-extensions/pull/2509 to try and
make this clearer. Please let me know if that works for you.

Cheers,
Lucas

On Sat, Mar 18, 2023 at 11:01 AM Julian Reschke <julian.reschke@gmx.de>
wrote:

> On 18.03.2023 00:15, Lucas Pardue wrote:
> > Hi Julian,
> >
> > On Sun, 12 Mar 2023, 13:13 Julian Reschke, <julian.reschke@gmx.de
> > <mailto:julian.reschke@gmx.de>> wrote:
> >
> >     Hi there,
> >
> >       > Signatures are likely to be deemed an adversarial setting when
> >     applying Integrity fields; see Section 5. Using signatures to protect
> >     the checksum of an empty representation allows receiving endpoints to
> >     detect if an eventual payload has been stripped or added.
> >
> >     I understand the case where a representation was *added* (where
> >     previously it was empty). But the opposite case?
> >
> >
> > Thanks for raising this. IIRC I think the intention was to describe a
> > scenario where signatures are used with digest and that either a) there
> > is nothing to send, so use the empty representation digest (helping to
> > spot addition) b) there is something to send, so send the digest of that
> > and then if the payload gets stripped, the receiver can detect the
> > digest doesn't match that of an empty representation and then bail.
>
> But in case (b), you are not doing what the spec currently says: "Using
> signatures to protect the checksum of an empty representation..."???
>
> /me still confused
>
> > ...
>
> Best regards, Julian
>
>

Received on Thursday, 13 April 2023 01:59:06 UTC