- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 21 Jul 2014 21:47:59 -0400
- To: Kostas Koukopoulos <kk@longaccess.com>, public-webpayments@w3.org
On 07/03/2014 05:53 AM, Kostas Koukopoulos wrote: > In the last draft of the HTTP-signatures specification the BNF > grammar which described the signature header has been removed (it > was thought to be unnecessary I believe). Yes, the BNF grammar was removed because it was unnecessary. > However, from reading the spec I get the impression that there is no > longer any restriction on the order of the "auth-param" parameters > in the header. This is not necessarily a bad thing, although it could > be clarified more strongly. There was never meant to be any restriction on the order of the "auth-param" parameters. This misconception was one of the reasons that we got rid of the BNF. In general, most HTTP header parameters are unordered. The section of the HTTP 1.1 specification that is referenced details this point in the BNF and it's typically a bad idea to re-state things that are stated in other specifications. So, I'm not going to clarify it unless others raise the same issue you have. > My question however is another, because this seems to create a > discrepancy with the last HTTP-signature-nonce specification which > includes a BNF grammar that lists the parameters in a specific > order. That specification is badly out of date and needs to be updated. We haven't had the time to update it in a while, but it's next on the list of specifications to update wrt. the http-signature-* series. > So, what is the view of the group re. the HTTP-signature-nonces > spec? Assume that the BNF for the http-signature-nonces will be stripped in the next version and the auth-param order in the Signature and WWW-Authenticate header doesn't matter. The signature string will most likely be constructed in the same sort of manner, although the details are still yet to be determined. Thanks for the feedback Kostas, please let us know if this addresses all of your concerns. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Marathonic Dawn of Web Payments http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Tuesday, 22 July 2014 01:48:29 UTC