- From: Lucas Pardue <lucaspardue.24.7@gmail.com>
- Date: Thu, 13 Apr 2023 02:58:49 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CALGR9oaxX2FdGK-DLzaML8WES2K1j1pA_njMh51MmSH0sS2+dQ@mail.gmail.com>
I've made https://github.com/httpwg/http-extensions/pull/2509 to try and make this clearer. Please let me know if that works for you. Cheers, Lucas On Sat, Mar 18, 2023 at 11:01 AM Julian Reschke <julian.reschke@gmx.de> wrote: > On 18.03.2023 00:15, Lucas Pardue wrote: > > Hi Julian, > > > > On Sun, 12 Mar 2023, 13:13 Julian Reschke, <julian.reschke@gmx.de > > <mailto:julian.reschke@gmx.de>> wrote: > > > > Hi there, > > > > > Signatures are likely to be deemed an adversarial setting when > > applying Integrity fields; see Section 5. Using signatures to protect > > the checksum of an empty representation allows receiving endpoints to > > detect if an eventual payload has been stripped or added. > > > > I understand the case where a representation was *added* (where > > previously it was empty). But the opposite case? > > > > > > Thanks for raising this. IIRC I think the intention was to describe a > > scenario where signatures are used with digest and that either a) there > > is nothing to send, so use the empty representation digest (helping to > > spot addition) b) there is something to send, so send the digest of that > > and then if the payload gets stripped, the receiver can detect the > > digest doesn't match that of an empty representation and then bail. > > But in case (b), you are not doing what the spec currently says: "Using > signatures to protect the checksum of an empty representation..."??? > > /me still confused > > > ... > > Best regards, Julian > >
Received on Thursday, 13 April 2023 01:59:06 UTC