- From: Kostas Koukopoulos <kk@longaccess.com>
- Date: Thu, 3 Jul 2014 12:45:39 +0300
- To: public-webpayments@w3.org
Hello, I have been reading the updated HTTP-signatures draft, the mailing list archives, and the group minutes trying to understand better the construction of the string-to-sign. My understanding so far is that the first sentence in paragraph 2.3 of the spec is a bit ambiguous. It reads: > [...] the client MUST use the values of each HTTP header field specified by `headers` in the order they appear. Initially I thought this meant "in the order that they appear (in the transmitted HTTP request)". Possibly I was lead to this interpretation by the language in the second bullet point of the instructions in that paragraph, regarding duplicate headers, which is: > all header field values associated with the header field MUST be concatenated and used in the order in which they will appear in the transmitted HTTP message. But there is another interpretation of "in the order they appear" which would be "in the order they appear in the "headers" parameter of the Signature header. Indeed this seems to be the interpretation used by the two implementations that I have found (node [1], and python [2]). First, It would be helpful if this was clarified in the spec. Second I would like to point out that it is sometimes difficult for those who will implement the spec to determine the order of the headers in the sent request. Client libraries (such as python-requests) do not provide always provide APIs that can determine the header order, e.g. they might require that headers are provided in unordered dictionary objects. So in a sense the second interpretation is more simple for client developers (as evidenced by the choice made in the node and python libs). Thank you, Konstantinos 1. https://github.com/joyent/node-http-signature/blob/c5c4c3ab9a15b72e54d4c1e3a92625fddaf01a4f/lib/signer.js#L136 2. https://github.com/digitalbazaar/py-http-signature/blob/824de0d8957b4423b1ac986fe47a2d303cdfb434/http_signature/sign.py#L150 -- Konstantinos Koukopoulos (@ The Long Access Company) <kk@longaccess.com> landline: +302117706924 mobile:: +306948630066 Your Data. Safe. For Long.
Received on Thursday, 3 July 2014 13:35:14 UTC