created and expires should be signed if present

w3c-ccg / http-signatures

Signing HTTP Messages specification

https://w3c-dvcg.github.io/http-signatures/

Other

34 stars 9 forks source link

created and expires should be signed if present #66

Open ioggstream opened 5 years ago

ioggstream commented 5 years ago

When

created and expires are specified

Signature: created=..., expires=...,

I expect

they should be present in headers="(created) (expires)"

instead

They are not mandatory

Note

I propose that when present, they shouldn't be listed in headers. Instead, they should be added at the top of to the signature string

@liamdennehy: what do you think?

liamdennehy commented 5 years ago

Indeed - anything that has meaning for the signature, whether the content being signed or metadata describing the signature, should be signed too. Essentially if a parameter being modified affects the meaning, it should be included.

We should establish a canonical order for metadata fields, and state they should be included first. They should not be implied though - they still need to be explicitly listed in the headers field.