Re: clarification re. http-signature-nonces: parameter order

On 07/03/2014 05:53 AM, Kostas Koukopoulos wrote:
> In the last draft of the HTTP-signatures specification the BNF 
> grammar which described the signature header has been removed (it
> was thought to be unnecessary I believe).

Yes, the BNF grammar was removed because it was unnecessary.

> However, from reading the spec I get the impression that there is no 
> longer any restriction on the order of the "auth-param" parameters
> in the header. This is not necessarily a bad thing, although it could
> be clarified more strongly.

There was never meant to be any restriction on the order of the
"auth-param" parameters. This misconception was one of the reasons that
we got rid of the BNF. In general, most HTTP header parameters are
unordered. The section of the HTTP 1.1 specification that is referenced
details this point in the BNF and it's typically a bad idea to re-state
things that are stated in other specifications. So, I'm not going to
clarify it unless others raise the same issue you have.

> My question however is another, because this seems to create a 
> discrepancy with the last HTTP-signature-nonce specification which 
> includes a BNF grammar that lists the parameters in a specific
> order.

That specification is badly out of date and needs to be updated. We
haven't had the time to update it in a while, but it's next on the list
of specifications to update wrt. the http-signature-* series.

> So, what is the view of the group re. the HTTP-signature-nonces 
> spec?

Assume that the BNF for the http-signature-nonces will be stripped in
the next version and the auth-param order in the Signature and
WWW-Authenticate header doesn't matter. The signature string will most
likely be constructed in the same sort of manner, although the details
are still yet to be determined.

Thanks for the feedback Kostas, please let us know if this addresses all
of your concerns.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments

Received on Tuesday, 22 July 2014 01:48:29 UTC