Closed ioggstream closed 5 years ago
For now, we only warn that:
The challenge here is to add useful guidance that is relevant to Digest and expected usages but without also defining the expected usages completely.
The dependency model is that a signature doesn't need to include a digest but it can, a digest doesn't include a signature. Attempting to explain too much of signature risks inverting the dependency (or at least coupling too tightly).
I think what we have today is sufficient but am open to compelling reasons on what would be really helpful to define in this document.
Agree. My point is just avoiding all the problematic usage of Digest in signatures.
Feel free to highlight what is in-scope and what it is not.
I expect
To better detail the usage of
Digest
in signatures, including:Questions
should we explicit here further requirements (eg timestamps, request-target, :method:, ..) or that's off-topic?
should we warn about algorithm-based attacks (eg. MAC signatures are vulnerable to Length-Extension attacks)
consider signing
Content-Length
too (it's a representation-metadata in http-core), though it would eliminate the ability to do things like chunked transfer-encoding, which is quite common. @dlongleyNotes
Split from #15