Closed liamdennehy closed 4 years ago
To open with my position, I have proposed the principle:
If HTTP does or permits something, this protocol should allow it to be signed.
This protocol has the most utility if it simply allows security to be added to a message, without carving out exceptions based on our own concerns. Principally the choice to accept multiple header instances should be made by the application itself - regardless of whether they accept signatures. I don't feel this is a constraint we should be making on an application's behalf, especially if this is what they already permit.
Two months seems a good time to close this.
https://github.com/w3c-dvcg/http-signatures/issues/85 and https://github.com/w3c-dvcg/http-signatures/issues/50 both depend on answering a single question: Do we interpret RFC7230 Section 3.2.2 as
I don't think different answers for each issue would be appropriate, so I hope to get consensus on this principle as proposed in https://github.com/w3c-dvcg/http-signatures/pull/87 in a dedicated discussion here.