Re: draft-ietf-httpbis-digest-headers-11, "6.3. Usage in Signatures"

On 18.03.2023 00:15, Lucas Pardue wrote:
> Hi Julian,
> On Sun, 12 Mar 2023, 13:13 Julian Reschke, <
> <>> wrote:
>     Hi there,
>       > Signatures are likely to be deemed an adversarial setting when
>     applying Integrity fields; see Section 5. Using signatures to protect
>     the checksum of an empty representation allows receiving endpoints to
>     detect if an eventual payload has been stripped or added.
>     I understand the case where a representation was *added* (where
>     previously it was empty). But the opposite case?
> Thanks for raising this. IIRC I think the intention was to describe a
> scenario where signatures are used with digest and that either a) there
> is nothing to send, so use the empty representation digest (helping to
> spot addition) b) there is something to send, so send the digest of that
> and then if the payload gets stripped, the receiver can detect the
> digest doesn't match that of an empty representation and then bail.

But in case (b), you are not doing what the spec currently says: "Using
signatures to protect the checksum of an empty representation..."???

/me still confused

> ...

Best regards, Julian

Received on Saturday, 18 March 2023 11:01:27 UTC