Re: Web Keys and HTTP Signatures

On Apr 18, 2013, at 02:00, Martin Thomson <martin.thomson@gmail.com> wrote:

> It seems like a simple fix would be to
> include the list of headers under the signature as the first item.

Obviously.

The reason I didn't give this fix is that this just amounts to handing out more rope.

It seems to me the community may not have the resources to come up with a secure spec on their own.
I'd rather motivate them to spend some quality time with security experts than just throw "fixes"  for the immediately obvious problems over the wall, somehow hoping nobody will find the deeper ones.

Grüße, Carsten

Received on Thursday, 18 April 2013 08:11:56 UTC