- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 18 Mar 2023 12:01:10 +0100
- To: Lucas Pardue <lucaspardue.24.7@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 18.03.2023 00:15, Lucas Pardue wrote: > Hi Julian, > > On Sun, 12 Mar 2023, 13:13 Julian Reschke, <julian.reschke@gmx.de > <mailto:julian.reschke@gmx.de>> wrote: > > Hi there, > > > Signatures are likely to be deemed an adversarial setting when > applying Integrity fields; see Section 5. Using signatures to protect > the checksum of an empty representation allows receiving endpoints to > detect if an eventual payload has been stripped or added. > > I understand the case where a representation was *added* (where > previously it was empty). But the opposite case? > > > Thanks for raising this. IIRC I think the intention was to describe a > scenario where signatures are used with digest and that either a) there > is nothing to send, so use the empty representation digest (helping to > spot addition) b) there is something to send, so send the digest of that > and then if the payload gets stripped, the receiver can detect the > digest doesn't match that of an empty representation and then bail. But in case (b), you are not doing what the spec currently says: "Using signatures to protect the checksum of an empty representation..."??? /me still confused > ... Best regards, Julian
Received on Saturday, 18 March 2023 11:01:27 UTC