- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Wed, 17 Apr 2013 21:15:20 -0400
- To: Carsten Bormann <cabo@tzi.org>
- CC: public-webpayments@w3.org
On 04/17/2013 06:03 PM, Carsten Bormann wrote: > On Apr 17, 2013, at 23:32, Manu Sporny <msporny@digitalbazaar.com> wrote: > >> https://github.com/joyent/node-http-signature/blob/master/http_signing.md > I looked at this for about 5 seconds, but are you telling us the attacker gets to choose what the lines in the signed string are supposed to mean? That definitely looks like a security hole in this scheme. The headers names themselves should be included in the signature string, not just the values. > > Grüße, Carsten > > -- Dave Longley CTO Digital Bazaar, Inc.
Received on Thursday, 18 April 2013 01:14:28 UTC