IETF Logo Mail Archive

Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

Julian Reschke <julian.reschke@gmx.de> Fri, 28 October 2022 16:27 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34340C14CF02 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2022 09:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.061
X-Spam-Level:
X-Spam-Status: No, score=-5.061 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFxsZ9O2rrhB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 28 Oct 2022 09:27:48 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73527C14F749 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 28 Oct 2022 09:27:48 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ooSCQ-00DYMd-7B for ietf-http-wg-dist@listhub.w3.org; Fri, 28 Oct 2022 16:27:14 +0000
Resent-Date: Fri, 28 Oct 2022 16:27:14 +0000
Resent-Message-Id: <E1ooSCQ-00DYMd-7B@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1ooSCP-00DYLl-D2 for ietf-http-wg@listhub.w3.org; Fri, 28 Oct 2022 16:27:13 +0000
Received: from mout.gmx.net ([212.227.17.21]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1ooSCN-003bdP-Uq for ietf-http-wg@w3.org; Fri, 28 Oct 2022 16:27:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1666974419; bh=xaMfFbmI0JPcatPn5tByi2h+qIXZuKfL2sLzflfaLSc=; h=X-UI-Sender-Class:Date:Subject:From:To:References:In-Reply-To; b=sJ/Hby6NcgDRWqU+rVBMcg74UQaQ+MO9oD9iQd2qIyUe9epBC3wX7Gw9uMsTm4wvF HEOoCDYMYfiSX41SF0Kn8/X3Uv8Nnp1sLQKGMN27SWGyj6C5cbCAhOcEZHw01Dh/WQ 246+di96AFCE8TqQxJNyh7gwZ6JkwvUPME16ki/hdBlSEjQ3wKnbJZiv4mgrd+iynT fFxnse+9mnac3ro9u+W489wBt+vvuI0NHHW4x71Rc3VXXTXz5wkgvRMHi9KJ3uBa2D Xb6nW15CSkIGA7qzSig65SZEssd5yds1Cdc4xkL8tXgm/Fnv+T6tY4M0jzlZxZ4ioY qMdOhgc2VoPHw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.179] ([91.61.58.200]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MGhyc-1otS8v0B8M-00Dnfa for <ietf-http-wg@w3.org>; Fri, 28 Oct 2022 18:26:59 +0200
Message-ID: <0563c8e6-ff81-7228-8373-e1bc9d9083d4@gmx.de>
Date: Fri, 28 Oct 2022 18:26:58 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0
Content-Language: en-US
From: Julian Reschke <julian.reschke@gmx.de>
To: ietf-http-wg@w3.org
References: <7A490A89-3B27-4278-9AFA-A5339FF11500@mnot.net> <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de>
In-Reply-To: <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:YwVGzPk3Pv6Ae/a3Hcjx6W1DPgBqtphCa7Mw6jeuLrCIKOgUNhV lvO+18N2os3ZHP1rkpWxht0/vAL60dm8No3ExMExaCfMZDnI4+xVK2mzwZKIeQ2z6hniB0P DGzvmVllRzfyETekFC6P427uzIsTShD95Kl3IFAYBYnXAX+oVIZeOh9HnYoT5OTtZn/tDKn LYB0cp3R8JhhAJ9j40r6w==
UI-OutboundReport: notjunk:1;M01:P0:WqAj2FG06WA=;rvkJvB3EnHctNSVBbcnn/D4UdGA qHFOyoTLivOuOEYlIRa9L5fq8yQd8ocRFGtwRiLesxjpMZQ4po/fKzuqZE0MMD5rs9IlEffeI TmDJi/SWfPs6zVGu0nFtwOZD8JJIAb/mhmC7kSD+isi6KPPnKU67lLF2rM4HFwsP6pHVfVIhI s4w2w70Q25VKUUsmrywAYq+AQC/ufT8rlT1O0zpc9Szm86S92Y9Qwl+wvd9hYoat8r1meEWTu 0vb2xA46zzbTN0zsuZ1l96WyDe0W4PvMcKRxvLXqZsLHonDrGYgQkSenXT4fjg0NMjTt0jYPs spJ05i3s1e2hm4BvCjfhGiYSu5B9D/8rTltrjfjB9zEyq5EkF1uU1B841+Bqz88m8FvcY7Zn1 dO61lnKi7hNLISKVPDBb+lp5fvYjF4ZY8G+jmjYNYyfBLGma+PYo4cu/SLkVHplL/8DcdB1tz MpE1z1W6m6i50wW8fZJ1Uvfm3X7VabnhKXmMV2ZAUwPkcp7G/K71YHrTdYezq3tLv+5rSaUtS b1Lfb0D8iylEcqw4HewGGJ7Cj9WnLXAqVha9gssuW3yGCONFrjrBFgnY3MTDTh3mZ2FwJodC/ 6MNElid3bIMYSQn+f7o0Xt6FS/FJD2jHbr81Q95I9V/MoXjmjyI9+rJTe5Tqd+9RrkfIL7nwG AkvMZhfcdOXg6bNYyy0gK5+pUvFB7pz7X8Zzdum3AX7tK0/LXF05zvdL9052mdetooaq1CPAS 3RMXX2aIjNhhRv0/QfV+JXiSmZSr8h4IRDOMZZ5fByvjoA1lQBvEBSHN563jpa5ui3SfQdaOy akbh3rTMHNSWjQBEekDLRK/LtUdMqUiZcUUyTXBa97QdnzVi/z9FxIn/yo1eMHNEEDhRlhEk4 Yd2iXMhsOSw8+QOf5egxRYIx1zxnr7TQ2VFOX9LXwu7VPMb0q4Vkj6fOpmR3b0l3fi+KzRgdQ wS6dkZVtL25Z3XJlmiuIl6eVgeY=
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.de), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ooSCN-003bdP-Uq ad5839253e053f0c93b50dc4070552f2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/0563c8e6-ff81-7228-8373-e1bc9d9083d4@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40504
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 28.10.2022 18:24, Julian Reschke wrote:
> On 27.09.2022 01:01, Mark Nottingham wrote:
>> ...
>
>
> <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.1> says:
>
>  > Unless overridden by additional parameters and rules, the HTTP field
> value MUST be canonicalized as a single combined value as defined in
> Section 5.2 of [HTTP].
>
> ...but later on it specifies...:
>
>  > Concatenate the list of values together with a single comma (",") and
> a single space (" ") between each item.
>
> ...which is inconsistent with Section 5.2's definition of "combined value":
>
>  >  When a field name is repeated within a section, its combined field
> value consists of the list of corresponding field line values within
> that section, concatenated in order, with each field line value
> separated by a comma.
>
> Not good. This message-signatures spec can likely work-around this by
> not referring to the definition of "combined field value" from 5.2 --
> but we may have to discuss this as an issue in the core spec (which goes
> on with an example where SP is indeed inserted, and Section 5.3 which
> explicitly allows that).
>
> Best regards, Julian

...but at the end of the day, the recipient of the digest can not assume
that intermediaries followed the same normalization requirements, when
the HTTP core specs make the additional SP optional.

Best regards, Julian

v2.23.0 | Report a Bug | By Email