IETF Logo Mail Archive

Signing Set-Cookie

Justin Richer <jricher@mit.edu> Wed, 01 June 2022 21:39 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B973C14CF1E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Jun 2022 14:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NOL3bPe1Lq0w for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Jun 2022 14:39:17 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81527C14F72D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Jun 2022 14:39:17 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nwW1K-0003kp-BH for ietf-http-wg-dist@listhub.w3.org; Wed, 01 Jun 2022 21:36:50 +0000
Resent-Date: Wed, 01 Jun 2022 21:36:50 +0000
Resent-Message-Id: <E1nwW1K-0003kp-BH@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1nwW1J-0003jw-0d for ietf-http-wg@listhub.w3.org; Wed, 01 Jun 2022 21:36:49 +0000
Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1nwW1H-0004re-NC for ietf-http-wg@w3.org; Wed, 01 Jun 2022 21:36:48 +0000
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 251Laaep012482 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-http-wg@w3.org>; Wed, 1 Jun 2022 17:36:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1654119397; bh=UUThJZY/ovF7Dwodbj+nzMGDP6051xRlwnGmtJzUQQM=; h=From:Subject:Date:To; b=bXzLWbuPjg/ioGkZexHzxEHakQGvR26IRT6biJs3eBOOmqflrGgAHKLmVZnxyd37g aqsrZ+kHRT5XZPSQBKA7ocpdp+gtZq7xU6bjG7Sf2zQ63V14mlO1pfFBvTK9wJ+Hpi ntTUQfgp2lQyB2onXFW4Rnqh7GPWYFmTY+Eq0CrK1KfR+e9M4yhDY2VkeP8dy0I49d j8E1Z2UWdlzv1enu96t2Oz6RggiUOtGUwOJAD39sstX399N404ggc4mhS0JgX1TWJs K6+1Aukd51tYCSPglZJBHmqDYAkOvcLdCBV1F6jaDOdLj7dZhbWl4HjQ/f2Rt/wpaG HJR/34QCfdnIw==
From: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BC0A6937-D5CA-46A7-9262-605F1E190FC1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Message-Id: <A0601849-2870-4150-9926-5FA706D7F6DE@mit.edu>
Date: Wed, 01 Jun 2022 17:36:35 -0400
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3696.100.31)
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_DOTEDU_SHORT=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1nwW1H-0004re-NC 1f4c3b6ab43c999a5607ff170a60d7ce
X-Original-To: ietf-http-wg@w3.org
Subject: Signing Set-Cookie
Archived-At: <https://www.w3.org/mid/A0601849-2870-4150-9926-5FA706D7F6DE@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40060
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The Set-Cookie header syntax is weird in that it doesn’t allow for concatenation in the normal List syntax. The Signature spec relies on this concatenation for the combination of values of headers that show up multiple times. This discrepancy is called out in this issue:

https://github.com/httpwg/http-extensions/issues/1183 <https://github.com/httpwg/http-extensions/issues/1183>

However, on further investigation, I don’t think this actually causes a problem. The concatenation process outlined in Signatures still works on multiple Set-Cookie values, the only weird thing is that the RESULT of that process cannot itself be parsed as a valid Set-Cookie header. 

But the thing is, it doesn’t have to be parsed. It just has to exist as a string in the signature base, and be re-created by both signer and verifier in a consistent way. 

I’m planning on closing this issue with a note in the appropriate section of the signature spec, but if there’s something I’m missing about this, please chime in.

 — Justin

v2.23.0 | Report a Bug | By Email