HTTP Message Signatures [RFC 9421] percent-encoded URLs normalisation from Thibault Meunier on 2025-09-19 (ietf-http-wg@w3.org from July to September 2025)

From: Thibault Meunier <ot-ietf@thibault.uk>
Date: Fri, 19 Sep 2025 08:11:54 +0000
To: Working Group HTTP <ietf-http-wg@w3.org>
Message-ID: <QCSuypavsaagUoxYEW-9J9hPZX531r7RsBnak345rqOPd42j2pManzf4hGsg_81eC2xBAZbFK16ZmvW>

Hi http,

I'd like to confirm RFC 9421 HTTP Message Signatures [1] behaviour with regard to normalisation of URLs. For instance, Section 2.2.6 states

```
The value is normalized according to the rules provided in [HTTP], Section 4.2.3. Namely, an empty path string is normalized as a single slash (/) character. Path components are represented by their values before decoding any percent-encoded octets, as described in the simple string comparison rules provided in Section 6.2.1 of [URI].
```

And section 4.2.3 of [HTTP]

```
Characters other than those in the "reserved" set are equivalent to their percent-encoded octets: the normal form is to not encode them (see Sections 2.1 and 2.2 of [URI]).
```

The two statements appear to be in conflict. I'm not sure which one applies with regard to percent-encoded octets.

Let's take the example from [HTTP] section 4.2.3 `/%7Esmith`

Which of the following should be provided when used as "@path":

1. "/~smith"
2. "/%7Esmith"

Most implementations seems to use 2.
The example in RFC 9421 does not cover this case, and therefore I'm seeking clarification.

[1] https://datatracker.ietf.org/doc/html/rfc9421#name-path
[HTTP] https://datatracker.ietf.org/doc/html/rfc9110
[URI] https://datatracker.ietf.org/doc/html/rfc3986

Thank you,
Thibault

Received on Friday, 19 September 2025 14:31:25 UTC