W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2023

Re: draft-ietf-httpbis-digest-headers-11, "6.3. Usage in Signatures"

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 18 Mar 2023 12:01:10 +0100
Message-ID: <d737f172-4594-420f-8f5f-fce526ef58ac@gmx.de>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 18.03.2023 00:15, Lucas Pardue wrote:
> Hi Julian,
> On Sun, 12 Mar 2023, 13:13 Julian Reschke, <julian.reschke@gmx.de
> <mailto:julian.reschke@gmx.de>> wrote:
>     Hi there,
>       > Signatures are likely to be deemed an adversarial setting when
>     applying Integrity fields; see Section 5. Using signatures to protect
>     the checksum of an empty representation allows receiving endpoints to
>     detect if an eventual payload has been stripped or added.
>     I understand the case where a representation was *added* (where
>     previously it was empty). But the opposite case?
> Thanks for raising this. IIRC I think the intention was to describe a
> scenario where signatures are used with digest and that either a) there
> is nothing to send, so use the empty representation digest (helping to
> spot addition) b) there is something to send, so send the digest of that
> and then if the payload gets stripped, the receiver can detect the
> digest doesn't match that of an empty representation and then bail.

But in case (b), you are not doing what the spec currently says: "Using
signatures to protect the checksum of an empty representation..."???

/me still confused

> ...

Best regards, Julian
Received on Saturday, 18 March 2023 11:01:27 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 18 March 2023 11:01:29 UTC