Re: [auth48] AUTH48: RFC-to-be 9421 <draft-ietf-httpbis-message-signatures-19> for your review

[rfc-editor@rfc-editor.org]

Authors,

While reviewing this document during AUTH48, please resolve (as necessary) 
the following questions, which are also in the XML file.

1) <!-- [rfced] Note that we have removed the URI <https://manu.sporny.org/>.  We checked its availability many times (including today) and were unable to connect.  
        <uri>https://manu.sporny.org/</uri> -->


2) <!-- [rfced] Sections 1 and subsequent:  Because many changes were
made to this document during the EDIT and AUTH states, please review
all updates in this document carefully, and let us know if anything
is incorrect.

Also, a follow-on to December 2023 email discussions regarding the
use of <tt>:  Please (1) review current instances of <tt> and
(2) review changes from "header" to "header field" as instructed
during the AUTH state (not applied to all parameters).  Let us know
if further updates are needed. -->


3) <!-- [rfced] Please review the "type" attribute of each sourcecode
element in the XML file to ensure correctness.  If the current list
of preferred values for "type"
(https://www.rfc-editor.org/materials/sourcecode-types.txt) does not
contain an applicable type, please let us know.  Also, it is
acceptable to leave the "type" attribute not set.  

In addition, review each artwork element.  Specifically, should any
artwork element be tagged as sourcecode? -->


4) <!-- [rfced] Sections 2.2.8 and subsequent:  Please review the links
that we provided when we made updates to the citations to [HTMLURL]
(best viewed in the HTML and PDF output files), and let us know if
there are any issues.  For example, it appears to us that these links
would be stable, but please let us know if this is incorrect:

 <https://url.spec.whatwg.org/#application/x-www-form-urlencoded>
   for Section 5
 <https://url.spec.whatwg.org/#urlencoded-parsing>
   for Section 5.1
 <https://url.spec.whatwg.org/#urlencoded-serializing>
   for Section 5.2 -->


5) <!-- [rfced] For alignment with the IANA registry, would it be appropriate to change "Specification document(s)" to "Reference(s)" in the descriptions and the column headers throughout Section 6? 

Example from Section 6.2.1: 
   Specification document(s):
      Reference to the document(s) that specify the algorithm,
      preferably including a URI that can be used to retrieve a copy of
      the document(s).  An indication of the relevant sections may also
      be included but is not required.
-->


6) <!-- [rfced] The description for ed25519 is slightly different than the other entries.  Is this intentional, or perhaps the description could be updated as follows: 

Original:
   Edwards Curve DSA using curve edwards25519

Perhaps: 
   ECDSA using curve edwards25519
-->


7) <!-- [rfced] We were unable to verify this statement.  Please confirm that the reference is correct.  

Original: 
   As discussed in [DIGEST], the value of the Content-Digest field is
   dependent on the content encoding of the message.
-->


8) <!-- [rfced] Section 7.3.3:  As it appears that "its" actually refers
to the symmetric cryptographic methods, we changed "its" to "their".
If this is incorrect, please clarify what "its" refers to.

Original (the previous sentence is included for context):
 The HTTP Message Signatures specification allows for both asymmetric
 and symmetric cryptography to be applied to HTTP messages.  By its
 nature, symmetric cryptographic methods require the same key material
 to be known by both the signer and verifier.

Currently:
 By their
 nature, symmetric cryptographic methods require the same key material
 to be known by both the signer and verifier. -->


9) <!-- [rfced] For clarity, may we update "other historical drafts" to "other Internet-Drafts"?  Is mention of "historical" important?  

Original:
   It is recommended
   that developers wishing to support both this specification and other
   historical drafts do so carefully and deliberately, as
   incompatibilities between this specification and various versions of
   other drafts could lead to unexpected problems.
-->


10) <!-- [rfced] Because this document is a Proposed Standard, may we update the following text? 

Original:
   It is recommended that implementers first detect and validate the
   Signature-Input field defined in this specification to detect that
   this standard is in use and not an alternative.

Perhaps:
   It is recommended that implementers first detect and validate the
   Signature-Input field defined in this specification to detect that
   the mechanism described in this document is in use and not an 
   alternative.
-->


11) <!-- [rfced] Please review the "Inclusive Language" portion of the
online Style Guide at
<https://www.rfc-editor.org/styleguide/part2/#inclusive_language>,
and let us know if any changes are needed.

For example, please consider whether the following should be updated: 

 whitespace -->


12) <!-- [rfced] Please let us know if any changes are needed for the
following:

a) The following terms were used inconsistently in this document.
We chose to use the latter forms.  Please let us know any objections.

 "@authority" derived component (last paragraph of Section 7.2.4) /
   @authority derived component (per unquoted names of derived
     components in the rest of this document)

 dictionary / Dictionary (per [STRUCTURED-FIELDS]; we see that
   [STRUCTURED-FIELDS] uses the term "Dictionary".)

 dictionary structured field / Dictionary structured field /
   Dictionary Structured Field
   (per [STRUCTURED-FIELDS]; we see that [STRUCTURED-FIELDS] uses
   the terms "Dictionary" and "Structured Field".)

 Note:  We also changed instances of "structured field" where used
   more generally to "Structured Field", also per usage in
   [STRUCTURED-FIELDS].  Please let us know any concerns.

 ed25519 algorithm / Ed25519 algorithm (per RFC 8032)

 encoded in big-endian unsigned integers /
   encoded as big-endian unsigned integers

 Host field (1 instance) / Host header field

 host name (2 instances in original) /
   hostname (5 instances in original)

 HTTP Signature Algorithm(s) (used generally in Sections 6.2
   and 6.2.1) / HTTP signature algorithm(s)

 key id (Section 4.3) / keyid

 line-folding / line folding (per RFC 9112)

 RSA PSS / RSA-PSS (per post-6000 published RFCs, including
   RFC 8017)

 signature field / Signature field

 Unix timestamp / UNIX timestamp

b) The following terms appear to be used inconsistently in this
document.  Please let us know which form is preferred.

 Accept header (noun) (4 instances) /
   Accept-Header (adj.) ("Accept-Header signature") (1 instance)

 boolean / Boolean

 "host" header field ('"host" header field is specific to HTTP/1.1') /
   Host header ('the Host header field in HTTP/1.1')

 HTTP Message / HTTP message (used generally in text, e.g.,
   "of an HTTP message.  Note that a given HTTP Message can contain",
   "the HTTP message and", "the HTTP Message and", "from the HTTP
   Message", "from the HTTP message")

 HTTP Message Signature(s) / HTTP message signature(s) /
   HTTP Message signature (in running text)
   (e.g., "Applications of HTTP Message Signatures", "an application
   of HTTP message signatures", "An HTTP Message Signature"
   (Section 3), "an HTTP message signature" (Section 3.1),
   "An HTTP Message signature MUST use")

 Referer / Referrer (Appendix B.4)
   We see both spellings used in post-6000 published RFCs.  Google
   searches for "what is a referer header?" and "what is a referrer
   header?" both seem to indicate that "Referer" is technically
   correct but that it is "a misspelling of Referrer".

   Because RFC 9110 uses "Referer", it might be best to use that
   form, but we defer to your choice.  Please advise.

 signature value(s) (37 instances in text) /
   Signature value(s) (6 instances in text)

 status code derived component / @status code /
   @status derived component
   (We suggest the latter, as @status is defined as "The status code
   for a response" in Section 2.2.)

 string value / String value

 The hash function (Hash) SHA-<###> / The hash SHA-<###> /
   The hash function SHA-<###>

c) Spacing after colons in message examples:  Should there be only
one space after the colons for the following?

  X-OWS-Header:   Leading and trailing whitespace.
  Cache-Control:    must-revalidate
  Example-Dict:  a=1,    b=2;x=1;y=2,   c=(a   b   c)
  Example-Dict:  a=1,    b=2;x=1;y=2,   c=(a   b   c)
  Example-Dict:  a=1, b=2;x=1;y=2, c=(a   b    c), d

  For example, in post-6000 published RFCs, we see entries for
  "Cache-Control:" (e.g., RFCs 9126, 9205, and 9449) and
  "Example-Dict:" (RFC 8941) with only one space between the colon
  and the parameter(s) in question.

d) Should "Digest" in this sentence be "Content-Digest"?  We ask
because of "Content-Digest field defined in [DIGEST]" in Section 1.4.

Original:
 *  Requiring a specific set of header fields to be signed (e.g.,
    Authorization, Digest). -->


Thank you.

RFC Editor


On Jan 22, 2024, at 3:47 PM, rfc-editor@rfc-editor.org wrote:

*****IMPORTANT*****

Updated 2024/01/22

RFC Author(s):
--------------

Instructions for Completing AUTH48

Your document has now entered AUTH48.  Once it has been reviewed and 
approved by you and all coauthors, it will be published as an RFC.  
If an author is no longer available, there are several remedies 
available as listed in the FAQ (https://www.rfc-editor.org/faq/).

You and you coauthors are responsible for engaging other parties 
(e.g., Contributors or Working Group) as necessary before providing 
your approval.

Planning your review 
---------------------

Please review the following aspects of your document:

*  RFC Editor questions

   Please review and resolve any questions raised by the RFC Editor 
   that have been included in the XML file as comments marked as 
   follows:

   <!-- [rfced] ... -->

   These questions will also be sent in a subsequent email.

*  Changes submitted by coauthors 

   Please ensure that you review any changes submitted by your 
   coauthors.  We assume that if you do not speak up that you 
   agree to changes submitted by your coauthors.

*  Content 

   Please review the full content of the document, as this cannot 
   change once the RFC is published.  Please pay particular attention to:
   - IANA considerations updates (if applicable)
   - contact information
   - references

*  Copyright notices and legends

   Please review the copyright notice and legends as defined in
   RFC 5378 and the Trust Legal Provisions 
   (TLP – https://trustee.ietf.org/license-info/).

*  Semantic markup

   Please review the markup in the XML file to ensure that elements of  
   content are correctly tagged.  For example, ensure that <sourcecode> 
   and <artwork> are set correctly.  See details at 
   <https://authors.ietf.org/rfcxml-vocabulary>.

*  Formatted output

   Please review the PDF, HTML, and TXT files to ensure that the 
   formatted output, as generated from the markup in the XML file, is 
   reasonable.  Please note that the TXT will have formatting 
   limitations compared to the PDF and HTML.


Submitting changes
------------------

To submit changes, please reply to this email using ‘REPLY ALL’ as all 
the parties CCed on this message need to see your changes. The parties 
include:

   *  your coauthors
   
   *  rfc-editor@rfc-editor.org (the RPC team)

   *  other document participants, depending on the stream (e.g., 
      IETF Stream participants are your working group chairs, the 
      responsible ADs, and the document shepherd).
     
   *  auth48archive@rfc-editor.org, which is a new archival mailing list 
      to preserve AUTH48 conversations; it is not an active discussion 
      list:
     
     *  More info:
        https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc
     
     *  The archive itself:
        https://mailarchive.ietf.org/arch/browse/auth48archive/

     *  Note: If only absolutely necessary, you may temporarily opt out 
        of the archiving of messages (e.g., to discuss a sensitive matter).
        If needed, please add a note at the top of the message that you 
        have dropped the address. When the discussion is concluded, 
        auth48archive@rfc-editor.org will be re-added to the CC list and 
        its addition will be noted at the top of the message. 

You may submit your changes in one of two ways:

An update to the provided XML file
 — OR —
An explicit list of changes in this format

Section # (or indicate Global)

OLD:
old text

NEW:
new text

You do not need to reply with both an updated XML file and an explicit 
list of changes, as either form is sufficient.

We will ask a stream manager to review and approve any changes that seem
beyond editorial in nature, e.g., addition of new text, deletion of text, 
and technical changes.  Information about stream managers can be found in 
the FAQ.  Editorial changes do not require approval from a stream manager.


Approving for publication
--------------------------

To approve your RFC for publication, please reply to this email stating
that you approve this RFC for publication.  Please use ‘REPLY ALL’,
as all the parties CCed on this message need to see your approval.


Files 
-----

The files are available here:
   https://www.rfc-editor.org/authors/rfc9421.xml
   https://www.rfc-editor.org/authors/rfc9421.html
   https://www.rfc-editor.org/authors/rfc9421.pdf
   https://www.rfc-editor.org/authors/rfc9421.txt

Diff file of the text:
   https://www.rfc-editor.org/authors/rfc9421-diff.html
   https://www.rfc-editor.org/authors/rfc9421-rfcdiff.html (side by side)

Diff of the XML: 
   https://www.rfc-editor.org/authors/rfc9421-xmldiff1.html

The following files are provided to facilitate creation of your own 
diff files of the XML.  

Initial XMLv3 created using XMLv2 as input:
   https://www.rfc-editor.org/authors/rfc9421.original.v2v3.xml 

XMLv3 file that is a best effort to capture v3-related format updates 
only: 
   https://www.rfc-editor.org/authors/rfc9421.form.xml


Tracking progress
-----------------

The details of the AUTH48 status of your document are here:
   https://www.rfc-editor.org/auth48/rfc9421

Please let us know if you have any questions.  

Thank you for your cooperation,

RFC Editor

--------------------------------------
RFC9421 (draft-ietf-httpbis-message-signatures-19)

Title            : HTTP Message Signatures
Author(s)        : A. Backman, Ed., J. Richer, Ed., M. Sporny
WG Chair(s)      : Mark Nottingham, Tommy Pauly
Area Director(s) : Murray Kucherawy, Francesca Palombini