IETF Logo Mail Archive

Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

Justin Richer <jricher@mit.edu> Mon, 31 October 2022 14:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B34C1524CF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 07:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.759
X-Spam-Level:
X-Spam-Status: No, score=-7.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFK0YqDfSKRY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 07:37:14 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC8FBC1524D0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 31 Oct 2022 07:37:13 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1opVrd-002jPv-VA for ietf-http-wg-dist@listhub.w3.org; Mon, 31 Oct 2022 14:34:09 +0000
Resent-Date: Mon, 31 Oct 2022 14:34:09 +0000
Resent-Message-Id: <E1opVrd-002jPv-VA@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1opVrb-002jOn-4q for ietf-http-wg@listhub.w3.org; Mon, 31 Oct 2022 14:34:07 +0000
Received: from outgoing-exchange-5.mit.edu ([18.9.28.59]) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1opVrZ-004LLo-Gc for ietf-http-wg@w3.org; Mon, 31 Oct 2022 14:34:06 +0000
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id 29VEXhKD027990; Mon, 31 Oct 2022 10:33:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1667226832; bh=XLUfoA98TShYYSX4YdNh4bq7NkZJXF6Xwq2gHistqi8=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=ZDHCOImFS9BM5IEpEwzvVaC2iUFGRfpjriGQfOm72/8gM5fIL8t9eFzI7CaWTSbaj bwsk6AhWwcC0uwZ8xWGnZ+ivzEnFO25W1sQw/0U02qgNkI3HreunfjKqFxd+pFZpF/ O9qpCerRv1otbUb6zVcz/ClFXhRixPfNgBM6uKLRzQ4CqBV4SR0kEjlgRm8Zr2zKWI fWE8DjfRi9jh8p7eHfnCT+QU2GCgQZZwr73qYQzHvm5QTMG1e8XfLKRU+H1xxw05HG dDO0sXg8VG6LTUohJ+8rzmIAakLw0SQ9XPMAOAoLzcm114Hhe0+X3HBQeeeTdqVK/D uEXNH1gRc1wMg==
Received: from oc11expo11.exchange.mit.edu (18.9.4.16) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Mon, 31 Oct 2022 10:32:53 -0400
Received: from oc11exhyb2.exchange.mit.edu (18.9.1.98) by oc11expo11.exchange.mit.edu (18.9.4.16) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Mon, 31 Oct 2022 10:33:29 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.174) by oc11exhyb2.exchange.mit.edu (18.9.1.98) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Mon, 31 Oct 2022 10:33:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OexhC6kUDhwpc/CrWUhPDrkeHZ9duzm2phr02CwO2CGb/SU4uXoLh2IDPUhFD/OG3pnTAHoBn5UKm4eDi8lVbwssbWVGoOylpuHTwIUCSC4hEqySJ9wCHDL8NuwjKd5ubVTRmV+Wraz+oV1xmEYmnxVyMYvxhpH4CNw2FxE3cd/XwNrRzxluNpvI4UEXwbCQ1xCwWdVTp3TwSc2vI0l9LmWLRgg1CJHNiJQUc9PVsvBLYYZ71EA2NsOHXQQ3BvcHy3zFuAZBKQB99Jy+yLGAZ7ZjNUvmnfaOBqIq0YThxMEdRsIJVA5RIPJBktUtv/DIWLtsTCpFOKvDzuKNZjyNSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XLUfoA98TShYYSX4YdNh4bq7NkZJXF6Xwq2gHistqi8=; b=BSFovZTzpPwSP7SDs9hZyZwJvq3J5K9KcPcY5RsKVIyVEY4MwReN6ZpXzAWGcbb94W983FZgplVUlk0cjYyb+foLCq4RP2JBM5QAxP0/FB+H7lUb6EvAhZNoVcwQLvEEaQeGUi4wwz1fErJdq+vrt0FslEQ+lyC8VsuXF0PUVPeVRgLelFtIfG/7VItE/2KOqiJ7ZGhsMGfMHK9bKsRvnaA/Pe04HDlYmsudRkJBY3kpS+vbylgDawkrAYRPSmtQYRHT1pPYZvSeZ3+wzAbdkjhEZH4dYfUB4/GN5u4ULBN+ygbL7jUuJcrLj4QT6hDjc+0TU424RKBTU3Nk0HSmgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by MN2PR01MB5951.prod.exchangelabs.com (2603:10b6:208:18e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.16; Mon, 31 Oct 2022 14:33:28 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::23fb:26a6:7340:e857]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::23fb:26a6:7340:e857%7]) with mapi id 15.20.5769.019; Mon, 31 Oct 2022 14:33:27 +0000
From: Justin Richer <jricher@mit.edu>
To: Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Thread-Index: AQHY6upRsygpXdML/ka70JbNRBdxaa4olaWA
Date: Mon, 31 Oct 2022 14:33:27 +0000
Message-ID: <7BE7AA9D-2EFB-44AA-AB56-9C23E0F55AFF@mit.edu>
References: <7A490A89-3B27-4278-9AFA-A5339FF11500@mnot.net> <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de>
In-Reply-To: <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|MN2PR01MB5951:EE_
x-ms-office365-filtering-correlation-id: ee5dd657-b113-4eb8-9375-08dabb4ce025
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aLsycodD0LYuJ4ZzCiAjSXuiYwf68gedIrASyVb23V30IuQ58OKcVCKVhmyvpozI1Xjb2JoCD578hmxZraCXkRNB2n3vwGPQDf66RMo1n/YiHIztpI82rm4su6ApNpIk/XTDrRScDxifXqaR+IuL4CV2Xxx1zrfRgLdiAtidWuMHIyn+k3jZFBCB/KslkqAT1BDll+dRtScQkgHD6EV8Nqwf+G+LDY+md30g0BdfHxWRIw6mI5duevabgwR3wo3otuUfJE9gE2SbNp4z8GHot6xFe+XHFJ9ujoeFmyZMMSrqcrFiFWjD328gn/8wbAVyRjCRvGACSvTsMGR5NZB80O0xzqlB9K/9uANfUKsoxdGIvTH/j6AR2yE4zY+o2Nxw7D4r2CLUFB9vtLgkoB+myFKxTfadQAWxnQ6CueJB9Wb3+lINqZMLS6tJ1otHd/cYJIlOSfN6e/RBEV6M3iK6xWg5usp+NY/shTWLzPKjZueogvQES6s8kQrGsnK4ZjDQZ5w9+r12mDlG2a4Q+6KaRU5oIeWFzpIq6wEkHze3Q355dd1l5r1TZdbdwlPnZTEHtn9d0lmb43igPqELL3j1NZyPR/mq6Sy2OjAo4Swutx0Ll1ETkWuCW1lYUr23vo0T4PcGcTlsyeMdyNNshcrAIbQTsz5GB9jVixHJKlscixUjaOO1p4WU0pNNGsQY8MUZbxFC13i5jt4iAQEu1XA9vv3AQdGy/ezYy6yn9QdUbAjfLcK0kjjm/8ep1farwaGP/1JuXIL0B/bMIy8miSCHwbHwTPpoSgHOTrx++XwwBDs=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR01MB4444.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(346002)(396003)(136003)(39860400002)(376002)(366004)(451199015)(6916009)(66946007)(76116006)(66899015)(8936002)(41300700001)(8676002)(66446008)(64756008)(4326008)(66476007)(5660300002)(91956017)(66556008)(186003)(53546011)(6506007)(38070700005)(33656002)(75432002)(36756003)(26005)(2616005)(316002)(786003)(6512007)(71200400001)(478600001)(6486002)(2906002)(38100700002)(15650500001)(83380400001)(122000001)(86362001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IeAtl+CixK80PRcP5QslDE+CvVaV7q6SqsFnzswYorLtD+f2V9HIgutKkmxmVa6L1R7GmtrYUSB9EMNOQCcGjQW/sJjHY1R8pu5fBNl90CQtGDuYCMbKDffeGRKPpAAZ2qDm2B4lrOkffLooK3/CvNAYk7LEgq3DlxSOIyfQ7XzmEsI1IOG7qWShDxets8jiOfJqJ//032qtou8k+iruVMtTKLrM3tsjH8j5Hn9aKuRZM3bP5Tji57bmId+XkOe6mVFqxgiSFteAyj8+7HFv10SYl8hbo1eZA4mMJR7IeB/O2zeyli0dxQ0wCgUDjsZjijTYqR+b0dwTtDCwSo3krohy5WJGHx2YYL9YKnhzE5YQ1BBxkSxt0/yPGoEd4misQmfkk2zPFBsUbm9iNFTrabu4QCc2ybrLPDIttJGAC8+19dt50zlzgWpVNL3t9Rj0mJnTuutAJ+be8UtcL4VPNiTdkrfVKp0585K7401So2Cl5MKsPyphKVy+/ToVECZlEuvXvE6MtseLRPSBXVJFY47sj7hgqoR2AezyGAWVh1Xf6zIcmyctz8ZpApqsvSkriTCLeTSW+dYOIbJveST4ouwSql02hPPh8AGK3oL7l49tufVytxnGgoH9b4OweM4TxIj+6l0bdIKZhnZeht5N1Kl2KsoVomvTkm5Ho9N7B6Nj/Yc0T1zU9kcPZ4SBndT2ENl3UNOEIxWGd88TT4Ajmp6GAHNiCHNVGU3uoFsV71WXXoL1oBgb3vOFnyX80X+ClNE4tWzRaK1sltgJn2LtHB3gGxV0cSrrB9NDF6Tipbiw1ky/yTptbsrX3cjBtslGrwki5VR1BHmr3BDsw3jQk7orM/h9EZuRhRCJv6ExbuWRHROkhtIPK0PfdJkSOpilb4tgNS9/0ZThFPpzuY91ZL8vDlvRoS8m4OrwR9uY1EvsaKlnKy5U+1W3B1+/Oxgh1KHQAeqoqU+1bhm6hQntjOlmipA+uXk2w6Nnaq09HxHRO6Wv/CHUZbvxVOCmcK7ZggzZNI5bbGUZ6b/wrm1tJo5Rv4fj+RXxnLXHRSr7Gh6Qw0LruKtVpDDHUmycL/hsj54v0Mm5o7O9FVb9O94Z/YVFN5fKFbU0AIpWpyU216TBUFHxFZKtgohNqMUnctQ9Vh1GKRIyH3rSBhPs3b6R1aiihWB0U2MbJV5vbdsEbX0OefsawKX6Mv9IUSCLPCI2WUdLA3jagy0xeDI8mLnIxAXiRFUS3/D3RxyPmBWd/BZ1d98Kdt6C9itxVZ4ecsO2CDF8QNLppJv115iCSqe1BqENGIveRp7xvbeyTUGLm64swQLfi7IN/1suPeC55/xO5khNe4XYC7aba6iYxZKTs31LCP+NBgj6mxgyb4Uyq6ZmMBD1jVvTF1IJrZONAXPbLuUqbTRf8bPNsovWVWB3QYtbaKiheZHQa8sXEdVX1NzyJY2oMVZN1UhrO7OeRPDyJ+HWZLP7ayRIpi6+w9ddAqNew7nBPYUIoncUUCkC4v0Uiu2DkaFXOPeZsfJsKw1u6ag2eQV28f1W7tHNv/cUOnIDTQdaHKVnFzH2bzPMxxS8wVnnr/3fXWc5Q4lZ5har
Content-Type: text/plain; charset="utf-8"
Content-ID: <7460E7EE270613488E66D56D204658F7@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ee5dd657-b113-4eb8-9375-08dabb4ce025
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2022 14:33:27.8501 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zbaMTgqe/8SwEl3PQRVTDpTV5yvkEUvxU8tttOFl8l5GJzbtSdA3XTcu7bW5En/V
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR01MB5951
X-OriginatorOrg: mit.edu
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1opVrZ-004LLo-Gc f75b9c4fa20ddd7dafbb4a14c4fa93ee
X-Original-To: ietf-http-wg@w3.org
Subject: Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/7BE7AA9D-2EFB-44AA-AB56-9C23E0F55AFF@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40512
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Julian, thanks for this writeup of this issue. Multiple-valued fields have been potentially trouble from the start of this work many years ago.

After re-reading the text in RFC9110 section 5, but especially 5.3, the normalization rules are consistent with the advice of " For consistency, use comma SP”, but an intermediary could in fact combine field values without spaces on the way through. I think what we want to do is something like:


	HTTP fields that are known to be  "list-based fields” by the signer or verifier which have multiple values MUST have all values combined using the delimiter of “comma <SP>” as suggested by RFC9110. <warning about set-cookie goes here>

So it’s still the “combined value” but it’s got very specific rails around it. What do you think of this approach?

I agree that we might want to revisit this text in the HTTP semantics document, too. In my own limited practical experience, whenever the libraries I’ve used offer a pre-combined value, it always does the combination with “comma <SP>”, as shown in both examples and in the non-normative recommendations. I think that the fact that the examples do the same, in spite of the normative text technically allowing other options, is a practical consideration for implementors.

 — Justin

> On Oct 28, 2022, at 12:24 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> On 27.09.2022 01:01, Mark Nottingham wrote:
>> ...
> 
> 
> <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.1>
> says:
> 
> > Unless overridden by additional parameters and rules, the HTTP field
> value MUST be canonicalized as a single combined value as defined in
> Section 5.2 of [HTTP].
> 
> ...but later on it specifies...:
> 
> > Concatenate the list of values together with a single comma (",") and
> a single space (" ") between each item.
> 
> ...which is inconsistent with Section 5.2's definition of "combined value":
> 
> >  When a field name is repeated within a section, its combined field
> value consists of the list of corresponding field line values within
> that section, concatenated in order, with each field line value
> separated by a comma.
> 
> Not good. This message-signatures spec can likely work-around this by
> not referring to the definition of "combined field value" from 5.2 --
> but we may have to discuss this as an issue in the core spec (which goes
> on with an example where SP is indeed inserted, and Section 5.3 which
> explicitly allows that).
> 
> Best regards, Julian
> 
>

v2.23.0 | Report a Bug | By Email