Re: clarification re. http-signatures: header order from Manu Sporny on 2014-07-04 (public-webpayments@w3.org from July 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 04 Jul 2014 08:31:04 -0400
To: public-webpayments@w3.org
Message-ID: <53B69E88.1040605@digitalbazaar.com>

On 07/03/2014 05:45 AM, Kostas Koukopoulos wrote:
> I have been reading the updated HTTP-signatures draft, the mailing 
> list archives, and the group minutes trying to understand better the
>  construction of the string-to-sign.

Piecing all of that together sounds like torture, I admire your
tolerance for mental anguish. :)

> My understanding so far is that the first sentence in paragraph 2.3 
> of the spec is a bit ambiguous. It reads:
> 
>> [...] the client MUST use the values of each HTTP header field 
>> specified by `headers` in the order they appear.
> 
> Initially I thought this meant "in the order that they appear (in the
> transmitted HTTP request)". Possibly I was lead to this 
> interpretation by the language in the second bullet point of the 
> instructions in that paragraph, regarding duplicate headers, which 
> is:
> 
>> all header field values associated with the header field MUST be 
>> concatenated and used in the order in which they will appear in
>> the transmitted HTTP message.
> 
> But there is another interpretation of "in the order they appear" 
> which would be "in the order they appear in the "headers" parameter 
> of the Signature header. Indeed this seems to be the interpretation 
> used by the two implementations that I have found (node [1], and 
> python [2]).
> 
> First, It would be helpful if this was clarified in the spec.

Done:

https://github.com/web-payments/web-payments.org/commit/b8f6d5fd16fce2e6c4b6746580f40420079ea6ad

To clarify, when generating the signature string, the client MUST use
the values of each HTTP header field in the `headers` Signature
parameter, in the order they appear in the `headers` Signature parameter.

If you don't do that simple header re-ordering (by proxies) can
invalidate the signature and, as you noted in your initial email, some
HTTP libraries make it difficult to get to the header order.

Out of curiosity, are you looking into the HTTP Signatures spec to do an
implementation in another language? If so, note that the current
implementations lag the spec by a few months.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Friday, 4 July 2014 12:31:39 UTC