- From: Francesca Palombini <francesca.palombini@ericsson.com>
- Date: Mon, 9 Jan 2023 21:38:06 +0000
- To: "draft-ietf-httpbis-message-signatures@ietf.org" <draft-ietf-httpbis-message-signatures@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <AS1PR07MB86162D580AFAF1CCBE03A77298FE9@AS1PR07MB8616.eurprd07.prod.outlook.com>
# AD Review of draft-ietf-httpbis-message-signatures-15 cc @fpalombini Thank you to the authors and working group for another well written document. Also, I appreciate the several examples throughout the document, they make the text even more clear and easy to read. I don't have many comments, mostly minor and nits. I do have one comment about the reference to HTMLURL that we should probably fix before the IETF Last Call is started. The rest of the comment and questions you can address together with any other IETF Last Call comments. Feel free to take or leave, however answers are appreciated. Francesca ## Comments ### Absent query Section 2.2.7: >If the query string is absent from the request message, the value is the leading ? character alone: When would it make sense to sign this component although empty? Might be good to add some clarification for the reader. ### IANA registry names inconsistencies Section 2.3: >alg: The HTTP message signature algorithm from the HTTP Message Signature Algorithm Registry, as a String value. Section 3.2: >If the algorithm is explicitly stated in the signature parameters using a value from the HTTP Message Signatures registry, the verifier will use the referenced algorithm. Section 3.3: >through mutual agreement between the signer and verifier. Signature algorithms selected using the alg parameter MUST use values from the HTTP Message Signature Algorithms Registry (Section 6.2). Section 3.3.7: >algorithm values are not registered in the HTTP Message Signature Algorithms Registry (Section 6.2), and so the explicit alg signature Section 7.3.1: >used to sign HTTP messages. The HTTP Message Signatures Algorithm Registry is one source of trusted signature algorithms for applications to apply to their messages. I believe all of the above should refer to HTTP Signature Algorithms Registry instead (I hope I caught all of them) Section 2.2: > Additional derived component names are defined in the HTTP Signatures Derived Component Name Registry. (Section 6.4) Should be HTTP Signature Derived Component Names Registry Section 2.3: > Additional parameters can be defined in the HTTP Signature Parameters Registry (Section 6.3.2). Note that there is no general ordering to Should be HTTP Signature Component Parameters Registry - Also it would be better to reference 6.3 rather than 6.3.2. ### Accept clarification question Section 5.1: >algorithm or key identifier. These parameters MUST NOT include parameters that the signer is expected to generate, such as the created parameter. Why should it not? Couldn't the verifier include these empty parameters to indicate that the signer is expected to generate and send them? ### Missing expert guidelines The new registries do not have any guidance for the designated experts as to what registrations should be accepted or denied (conformance with template, point squatting, availability of reference specification, etc). See section 4.5 of RFC8126: The required documentation and review criteria, giving clear guidance to the designated expert, should be provided when defining the registry. It is particularly important to lay out what should be considered when performing an evaluation and reasons for rejecting a request. ### Define deprecated I would suggest being explicit about the meaning of "active" and especially "deprecated": these are terms everywhere in RFCs (I am aware), but sometimes they are open for interpretation, and we keep discussing their meaning. It would be good to avoid that situation from this doc. ### Wrong ref Section 2.1: > Additional parameters can be defined in the registry established in Section 6.3. I believe it should be 6.5. Also it would be good to name the HTTP Signature Component Parameters Registry explicitely. ### Reference to RFC7525 Obsolete informational reference: RFC 7525 (ref. 'BCP195') (Obsoleted by RFC 9325). Please update. ### Reference to HTMLURL Thanks to Tommy for detailed shepherd write up, that tells me you have discussed this already. Seems obvious that the HTMLURL reference needs to be normative, so we might need to reference a snapshot of this instead. See the following text in the IESG statement: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ > Note 4: Normative references in RFCs cannot be to "work in progress" documents such as Internet Drafts. Drafts with such references will not be published as RFCs until the references are also published. I'd like to get this fixed before starting the Last Call. ## Nits ### Editorial Nits Section 3.1: >several concrete applications of signing algorithms are defined in in Section 3.3. s/in in/in Section 3.3: >The following sections contain several common signature algorithms and demonstrates how these cryptographic primitives map to the s/demonstrates/demonstrate Section 3.3.7: >other mechanisms common to JOSE implementations. In fact, and JWA algorithm values are not registered in the HTTP Message Signature Algorithms Registry (Section 6.2), and so the explicit alg signature s/and JWA algorithm values/JWA algorithm values Section 5.1: >message signature. The member's name is label that uniquely identifies the requested message signature within the context of the s/is label/is the label Section 7.4.3: >verifier has access to. Both signers and verifiers need to take carefully consider the source of all information when creating s/take carefully/carefully Section 7.5.2: >The verifier would have have a difficult time finding this class of errors since the value of the s/have have/have ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
Received on Monday, 9 January 2023 21:39:02 UTC