liamdennehy
commented
4 years ago As stated in README.md all verification information must be provided in-band, and not rely on context or external sources. Closing as accepted after two months.
Closed liamdennehy closed 4 years ago
liamdennehy
commented
4 years ago As stated in README.md all verification information must be provided in-band, and not rely on context or external sources. Closing as accepted after two months.
ioggstream
commented
4 years ago @liamdennehy question: certificate chains/transparency logs/ocsp are considered out-of-band informations?
liamdennehy
commented
4 years ago Indeed, the spec simply refers to keys, as does the principle above. It's also agnostic to certificates themselves, as this is just metadata about a key.
How a particular key is trusted to sign a message (e.g. certificate chains from a CA/B Forum root, membership in an private trust scheme), and why (e.g. specified in law), is entirely up to the implementation.
In the project's proposed principle "What You See is What You Sign":
In order to reconstruct the Signing String, a verifier needs access to all the data that process depends on. Some of this information may be contextual:
:methodand:pathcomponents of(request-target)are not transmitted in a response, but depend on the context contained in the associated request https://github.com/w3c-dvcg/http-signatures/issues/82:authoritymay or may not be reliably known in a context depending on whether the message has been transformed between HTTP/1.1 and http2 by intermediaries https://github.com/w3c-dvcg/http-signatures/commit/1589b3fb68d030ca72a4dbbf134335ac324586caShould this specification permit a Signing String to be constructed using contextual sources and not exclusively on information present in the message itself?