IETF Logo Mail Archive

Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

Julian Reschke <julian.reschke@gmx.de> Mon, 31 October 2022 14:44 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13DE2C152565 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 07:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.76
X-Spam-Level:
X-Spam-Status: No, score=-7.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11g9Om0w11J2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 07:44:07 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A2BEC1524DA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 31 Oct 2022 07:44:07 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1opVyZ-002lAQ-65 for ietf-http-wg-dist@listhub.w3.org; Mon, 31 Oct 2022 14:41:19 +0000
Resent-Date: Mon, 31 Oct 2022 14:41:19 +0000
Resent-Message-Id: <E1opVyZ-002lAQ-65@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1opVyY-002l9S-9t for ietf-http-wg@listhub.w3.org; Mon, 31 Oct 2022 14:41:18 +0000
Received: from mout.gmx.net ([212.227.15.15]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1opVyW-004rD6-OO for ietf-http-wg@w3.org; Mon, 31 Oct 2022 14:41:18 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1667227261; bh=JW8FVX2334x+bSaVwl0TibKhixR/sAUNeNfPfrLB+Io=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=ZZpv7dCNBwxym9+bENnTDDSHemIBRQPCixQZPPHs40/30bfKGn8oaNBaksAZne5/T ytlXQnpHI+7PJ9w3ip/4DHazfmvmUMWYsM3cmfb736gFeEeFsbjy/kEQCVpqvhR68E EqplWdfVl0XBfdK05SC4CquYBgWWUejZGnOixfZ7K7MWZ3LL3TvB1gB0Q0jN1twgkG aKR02MbrTzjrQv77E2O1wT1qREZiS3pBtB5UNbCgAlze8uqWc5nAzIKuGTryXbXFqm 6/mVC+fXpGaMgJdTMwElAOrJ6oJNvJ9KLzxQo6IwA2FgBphq0f51SGFIJiyHFH6KeY KRj9jwql04XWA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.1.105] ([5.10.171.186]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1McY8d-1pKzMv43Zd-00cxjh; Mon, 31 Oct 2022 15:41:01 +0100
Message-ID: <111cf860-bbda-1c02-a5b7-81c76af7d263@gmx.de>
Date: Mon, 31 Oct 2022 15:40:59 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0
To: Justin Richer <jricher@mit.edu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
References: <7A490A89-3B27-4278-9AFA-A5339FF11500@mnot.net> <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de> <7BE7AA9D-2EFB-44AA-AB56-9C23E0F55AFF@mit.edu>
From: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <7BE7AA9D-2EFB-44AA-AB56-9C23E0F55AFF@mit.edu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:MJj04hGYLKHqTdm3sZiiJXo/HRN1v/2ZZ3yjGw9uCvcKXlP9hsI EC35FxHesnFgOQFEu1Z5l2GO05WYgk1PuIU5lEP0obXQcnaZCejPvg63HDboHLM7J6MUFZj yHVQ4xSAXU9Y+8EgrK7aVod1mT1H5BDdpYOp+Ogusm5SWIdpglRn5O8VPSPGkacCmNDfKEU 97H6PqsvSzdwGdca8NYmg==
UI-OutboundReport: notjunk:1;M01:P0:IEsnHC5oJpk=;weWoaXAYQrZotRKqiEiqvhK3htJ Jd/g34c/yN4H44KfGw3wji8vCjqsSEE5Pthqc186msRtPiIiRrjrNaWYi1q4d2Fv4N5Ln5cl8 AR1d2S+hM4u1xsqmbAOpXQ4XvdVHdtU/8jEeZ4e24DnmUGvPiwqNqG/6LW4fcZ+2OwecSHxnZ wYLrvpcguf/Yxt27ntHf/zQWvmsALwJbmMdTkNVrzSEXYVW+yKZ6WMKqXnZTWxKHgDRHnO+np xCpei5T+5KN3dtFzNGmjKdb1Qr3SHdXvRLZBsOrAxYAwD4d7h46wtU9sr99U3dgHB2GGGUMpB 2dlePSl75XdEpTpUgb3zhq+L0g8nomECxAK9SNPnjYyjq1X3230nQpkganbzugL8MknTKb428 p36WdWWr4w4pLkCEZDagqwmPqzPNQE8Il8Ti4mepCRexEPROIeLjOEyWmOx4SS/G6DYwSqCTE mEEp2w/sMuN1tYeLOMANX17D5Bdl38CsIylWpvBw8LNffy9nrmo4l1DrvsWDn666Se+Hb08rM FBJh493IpQNGDWO/tS05MNrXt+IwabzRRAqL9OT30JWBudjuBswxsik5SXJHA8eS9v1EM6RzE 0PnFgYZTuJwyZ5Xk8vCPCN5QamqQWDqz8Ly0ZCSDRIyVInEfXFkk21BpqDs5uR9FMsvVk09cB PBGKotmBVc+Gf3miXFE/5v97LOTtmNgAXuzPAaDfXq5968RHCVXFtMbHPrUqreqA+S3ruZmH/ LyBmcvkkcwehIxh7Jpmt0fHqS2gwqLgjHrV89jx/ZJS8XNihh1aNqeOG3CuSwAV5EDR/ZhJY7 Z21PvS3HUwMsTfsuPqMY0HI742zPOkfjxsG4F5w6p2tZfJAF8g/u0GGdIF885f1I8HN6maKqa pqgLggmNiQ0fZJIeADnQA/1G9f/5+khLaZN1g0XC64O1pfcvmZp1U5+vyLjksfyVK1YE3OmUF R0xePkgZxeny2FQJLYbfQcPJLJ4=
Received-SPF: pass client-ip=212.227.15.15; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.de), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1opVyW-004rD6-OO 30f102d65cb4a089f6d7792aee6ea89e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/111cf860-bbda-1c02-a5b7-81c76af7d263@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40513
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Am 31.10.2022 um 15:33 schrieb Justin Richer:
> Hi Julian, thanks for this writeup of this issue. Multiple-valued fields have been potentially trouble from the start of this work many years ago.
>
> After re-reading the text in RFC9110 section 5, but especially 5.3, the normalization rules are consistent with the advice of " For consistency, use comma SP”, but an intermediary could in fact combine field values without spaces on the way through. I think what we want to do is something like:
>
>
> 	HTTP fields that are known to be  "list-based fields” by the signer or verifier which have multiple values MUST have all values combined using the delimiter of “comma <SP>” as suggested by RFC9110. <warning about set-cookie goes here>
>
> So it’s still the “combined value” but it’s got very specific rails around it. What do you think of this approach?
>
> I agree that we might want to revisit this text in the HTTP semantics document, too. In my own limited practical experience, whenever the libraries I’ve used offer a pre-combined value, it always does the combination with “comma <SP>”, as shown in both examples and in the non-normative recommendations. I think that the fact that the examples do the same, in spite of the normative text technically allowing other options, is a practical consideration for implementors.
>
>   — Justin

Well, there's nothing in the spec that guarantees that this (adding the
OPTIONAL SP) will happen. I'm not sure it's a good idea to rely on it.

A sender can always make things robust by making sure that there's only
a single instance of the field...

Best regards, Julian

v2.31.3 | Report a Bug | By Email | System Status