- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 26 Mar 2014 10:59:57 +0530
- To: Trevor Perrin <trevp@trevp.net>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I'll have to think more about it. Do you need the HTML to specify > other content negotiation headers, like Accept-Language, > Accept-Charset, Accept-Encoding, etc? Not sure. But, the RFC syntax allows us to add these (via similar syntax as content-type) if needed later. Contrast with including it in the hash, where we will then be stuck. But, if we get consensus that 20 page RFC is not needed for our simple use cases, we can consider simplifying it. In any case, as you note: > Anyways, I think this spec is a great idea and how you base64 the hash > doesn't really matter. I'd be happy to drop this while bigger issues > are discussed. Thanks! As you yourself noticed, the dependency on 6920 isn't huge and we would really appreciate feedback on the other parts of the spec for now. The 6920 syntax does give us some advantages (e.g., the ones I pointed out earlier). > > So you probably need to think more about things like registering algo > names, hash truncation, hash agility, content negotiation, > canonicalization, etc. yes! Feedback on these things would be great. We try to talk about it, but more feedback will be great. Also see the "What should we hash" thread in the archives http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0023.html thanks Dev
Received on Wednesday, 26 March 2014 05:30:44 UTC