IETF Logo Mail Archive

Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

Justin Richer <jricher@mit.edu> Thu, 27 October 2022 14:38 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB6BC157B43 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 27 Oct 2022 07:38:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.06
X-Spam-Level:
X-Spam-Status: No, score=-5.06 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFadVlTXpXD7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 27 Oct 2022 07:38:00 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFEBEC157B42 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 27 Oct 2022 07:37:45 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1oo3xx-00A9L2-Qu for ietf-http-wg-dist@listhub.w3.org; Thu, 27 Oct 2022 14:34:41 +0000
Resent-Date: Thu, 27 Oct 2022 14:34:41 +0000
Resent-Message-Id: <E1oo3xx-00A9L2-Qu@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1oo3xv-00A9Ia-02 for ietf-http-wg@listhub.w3.org; Thu, 27 Oct 2022 14:34:39 +0000
Received: from outgoing-exchange-7.mit.edu ([18.9.28.58]) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1oo3xt-002vLm-5d for ietf-http-wg@w3.org; Thu, 27 Oct 2022 14:34:38 +0000
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id 29REYGfu003019; Thu, 27 Oct 2022 10:34:24 -0400
Received: from oc11expo21.exchange.mit.edu (18.9.4.52) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 27 Oct 2022 10:33:15 -0400
Received: from oc11exhyb2.exchange.mit.edu (18.9.1.98) by oc11expo21.exchange.mit.edu (18.9.4.52) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 27 Oct 2022 10:33:42 -0400
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.41) by oc11exhyb2.exchange.mit.edu (18.9.1.98) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Thu, 27 Oct 2022 10:33:42 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oCctsJh+OQ3+D1Rnl7DN1VKM3K3/9qoAfUj1zZfVdBda1HwZnvF5FlVv0S/Lhe5pac79Hr+U4TGtMhNFe3ZsrWWTL3L3byoo+rx+E8bsJFVrou3y0UHWzFSyEWJ0rbykroJ5UNnz+84dNf1R8cFEmmxa/ms6uQYJs3OgSAHZ7PmQBop3WGIwx+X11258o+2/y49OhNcykd1mreASEsrdeFD183H3h+JXkawVLVrurqYNp9GYqyeBHceI4+JmKbNtg5N4Lp1WGsYktiAaZLGWRjFgRxmiDIwHcB82ToP9a5O9tLLt7dFJ5LBqJzfPNcIhYDDl2lwgHCYTZtkJNv6tDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IYrwOS6meD773P/U1UMGYGIckjAtyMJ5hUdKYiaLq9M=; b=LXLs7pNwVJNd6A/owXICyrwbdD5do/O7BA1LKQsz02EzWEX61D2wHNxmV/Ds8C2IcszYIpvGrU/hOV76oyUajMZ4L4inlT63SxeiIuKCPTbZRGPySDmFtMy4znKDKli1IKAx7ONj4g17m38tCrDqf4C2GKYm3H5Q9YlHUyUT8K0/3Hy8Yh4Y9To+iA2GZBjViXMyCUdZgz1hQIDUBiVbRhBsbCcdECnVRQJPxFnEqkmaNtup1OdnXnHBIUXoIugIG9+QbmCBaXjtTg8oG/UfXm2Ih2hsDSCrUbw2/HNX0/G3Wnbel9PPr/XgUbcQEzrr+Q17rGuKKLJUQ6ioOvUnXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IYrwOS6meD773P/U1UMGYGIckjAtyMJ5hUdKYiaLq9M=; b=TDSKyzB7cJDICrrnVwi7JublOgjCIE0mv5n6ebLQcD/OaduelkCHmulQVfnnZiZTVXvWDcHTK+FALhj46BQbNUHKVZtbaxpoWrcR9LpGPXKmuwzV+q5OXelyD5OVQcvjg2sEGKhp6PJRgg58Ga40D2iLLrEw1fY+Jg+fwnnAMMI=
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH7PR01MB7845.prod.exchangelabs.com (2603:10b6:510:1d9::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.33; Thu, 27 Oct 2022 14:33:39 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::166f:d203:ce70:94cf]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::166f:d203:ce70:94cf%3]) with mapi id 15.20.5746.028; Thu, 27 Oct 2022 14:33:39 +0000
From: Justin Richer <jricher@mit.edu>
To: Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Thread-Index: AQHY0fyLh9AQCgmjhUyWeqZbowqcQ64hH9CAgAFeawA=
Date: Thu, 27 Oct 2022 14:33:39 +0000
Message-ID: <A52B6A15-DFC8-4CCF-8FA2-D66050022F62@mit.edu>
References: <7A490A89-3B27-4278-9AFA-A5339FF11500@mnot.net> <daec9ec1-4b6d-b196-b5e7-ed7722e1fb56@gmx.de>
In-Reply-To: <daec9ec1-4b6d-b196-b5e7-ed7722e1fb56@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH7PR01MB7845:EE_
x-ms-office365-filtering-correlation-id: f206001f-05a4-48b0-51bc-08dab8283d33
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L/c+lO+PvdjzPvN4SpVJsR0xNDf4tJCmJ4m5gv38IBd51g1GGt4mkbs4fQFxlYpbvmdjppFnIKYRHqce6kwsFRQ7BD06qLzT8U1CGmVQHpw/d+Tco6qEyvPMN+eYOyFBzAJqsZbgWSzCgVCRZT1LaCKABEpMfIcpqWJRhRyjSTJrq0Ss2Rtv6yNGGpxtfe0kqMrMBBE7S9f1dORo6SeYnQmwNg/1N3u/LsyX2uos7+CSd/z9uiyneemjGEBtE8Qq4snd1006OgrBJa87HaQCa3GlIouX1TLCjIC+MuQuvRdN4hTe16vlTswXXjsHATc2+ALKMtgUamE2wHLhzjGxUjwj7ayUIHA7qImKERKYeja2+YZi/AadO/O/QNDHwsrRV6F50K22YbuaiX78jrNEXGkAnO9g2qwodI1DApG1tlnS56dWciQ7Tsb+cMew/I4sEGP6hjY1Lrh6SgCZAlqp5YdAWIxzBcAf5qrxIN9WDap6bGFU7iP4AdjnKPvvWW0IzAtWP7kFZ+oA4MgMG2rx/zthkFxItAzNiCTF7PjusIFCW+VJGlP5/bUZ94QQLJ1ibaG9D1hbXBqZa9OIYfrafisxtgvdlw2fRB5hxkb8bFe0DkLNhnt8qFLmbOmWjqcnKo9EgEHE6cZ0o2ZywXPcsDj8FzPZcnUuHqnuxW+ZqXfZGnXQJqeg7I8q+D0bTLhgJ097k0TSo4DxZphQ5Cu08ajLBIkMwqdPB1MDHaVZBMf9CyWi3zn/QUjAgSJ7iF6A9t3X6K6bqfMgw+V1+OxG3Fzy3W5eXHWA3d8NQO/fVRq5NUHa9S6/Gd73u2P8XT6kPR/fod8zOeXo7afe+6vkfQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR01MB4444.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(451199015)(33656002)(4326008)(26005)(36756003)(6506007)(64756008)(76116006)(71200400001)(86362001)(6486002)(786003)(478600001)(6512007)(15974865002)(83380400001)(6916009)(53546011)(122000001)(38100700002)(75432002)(2616005)(66946007)(186003)(8676002)(38070700005)(91956017)(66446008)(41300700001)(66556008)(8936002)(15650500001)(316002)(66476007)(5660300002)(2906002);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zCS+boO/uA/alQLFJ0vYLPiE59wHa7K+MZrk5HNxrvx2S1Z5QPzuulWR0du1XDeLW/KbxqU11qNDhLmPBhBJl2W2MHDJ0F3aflc/+xk1Qb12djiNaXL1EmOWpFWHEdhqg8gnh8qUg3R8EEBIaGTIj1B1fy3xDZ6Hz3PuvM1ubxfgrey5I+d3DRiONQ1yjBlmV1bvllTY/fkFLxt3s3tDUSbevYammcAlHXNs5hZYIZSKXGoiwmdlT3JSrrMc9Ddwy/4snh7G/yHiDCaqE6NmVrPG3T8utbpA26vz/tNHQS/9juxt9ixyW7O1nVCUReIhQfZjmDdmByzF0EWBYWF8nPAbNp7H1lkbNXw+EQ/rgjaT2B7hradSvl0L7WHk+UV8oSawQIap5Mrm4s8m20BduuqKuy6yC8xvm8MfQ04srpxKjQBnMVW3oMptb1S75ZY7nr8HRFanWe8fegOVM+pMH4ukHJdNWUjbXRMI86EFwGZQakbf08iZctTNh9o5TCi21NDKj6vARLyfsCPEoNhPdGWuy4zFP8AJNS0zJ9c3t+qm4Vdxl5ZHczKKnyPt9WRKwmF79VIDA9sJ63ebRTSAG6WOSraiYKmvkMhlFqbEYwdPWgUFbmw8x+8pSq2VZmmKth/+XzlaY25X81cQCUl+aKkV/Jb1/OMHDU4Svq2SZfqXrsj+pjn/9l9hXlP1Uh1bA93F0XcuSRz8p4BB1qJ43IsSB0dvpG/TryGGxbbozAtlro+xyO0rLDLIFLunnBcBDArx76XEU2Yo71PneveLiRX2eix2+arSBnLDW4Ea4BD7QfNuxTbnXHgQ9TzvN5Btgf4kwT+jKhOG7lFXPc81SrucaOfNoMqekOnWrIIRJEOkOFIvqaf/cazqx7+CaGdjCXZNI/lymy+SV+dvu644bnfgkKMsKkz1i7HM0TOL4PsmMK7YiMFfmG4bt77zmRu2WBy2ys8QNaRn2WYZgzFy1Tkg1PLKWfjR9At+Im9wtU0nDkIYcnI0SC2KlYcw4cc55v4lEp9e1aRaiKG83dxAIhHrb/yxqCDZ7meExKihZJL152Dft4KKEwefxQsTgeOwflIK5UJDv9LbDbKVJmPyLmMtWEfnrtkPyFSUqysjHzXz8B1JlB/d5kiuzDi/TtwGeJrxuWR9cceHxf52mE9JZrMtuvWcazJmyRVfvlFiifKO1BPkWw9Go975fHtlzE4P33B54R2gMgsdr/CBTl4FXr7YiqPDuzg/oXEbFo1NbLADoLHpUMDIlskIjuPEJM/j3ZsChdvXlcvxDC9c6RpIN5ATZDP39iSkKbG6i1klmZ/fH6IX6wwiwpdytUKgf+FGlXord32vcnD7qI6t3wZWNLfPezjedvvnh7N0pFxagbxDqCJPH2v2uKCBxlt7l8U31FFcO98SdPoBbhIc9iEyHRKq/36qJLCohttz0i1tXnbCofODDCZFPnB+U1R3IiQKTGoTfgku31K75whg4XsqAYXoXrDjIS2KhmtoYXan0BBAiRcX94E6vVUE+MRi43DViOED7m3FtKlAmMlLLWbqE71c/kj8KmZ4uOiw1FLXnKUhnKfP03An43+h9q1uQih+
Content-Type: text/plain; charset="utf-8"
Content-ID: <E5B2F983D6E1C14D97BABB3ADBC65D44@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f206001f-05a4-48b0-51bc-08dab8283d33
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 14:33:39.1010 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lfTlWoDCD0lTEUikl6CXGpGkCQ+cIv5CCRVqH8cOgKu1Ly8oTyxEuspH/poWYcSQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR01MB7845
X-OriginatorOrg: mit.edu
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1oo3xt-002vLm-5d d6ea6ecdd09dd6b7c0c39d7fd42ff2d6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/A52B6A15-DFC8-4CCF-8FA2-D66050022F62@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40497
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Julian,

Thanks for bringing this up. When the authors discussed both the @path and @query derived components, we struggled a bit to come up with the best way to define a canonicalized form, since both can use percent-encoding in the wild. While for the vast majority of applications it’s going to be “take whatever string is handed to me by calling getPath() and getQuery()”, and that’s going to work, we obviously need to have something more precise here for all the corner cases.

At the time of first discussion, the best advice seemed to be to account for the percent-encoding on both of these, since that’s what most libraries seemed to do automatically behind the scenes. The language that we have was intended to reflect that, but we will absolutely defer to others in the group if there’s a better way to describe this.

I agree that we should have some examples that reflect any allowable transformations, too. We’ve got an appendix for showing these kinds of things that would be a great place to showcase this, with a forward reference from the @path and @query sections.

I’m interested to hear what others think the best approach would be here.

Thanks,
 — Justin

> On Oct 26, 2022, at 1:39 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> On 27.09.2022 01:01, Mark Nottingham wrote:
>> ...
> 
> I started a review, and I'm finding mostly minor issues so far which
> I'll summarize either later or create PRs for).
> 
> One thing that *might* be non-trivial is the handling of percent-escaping.
> 
> For instance, in
> <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.2.6>:
> 
> "Namely, an empty path string is normalized as a single slash /
> character, and path components are represented by their values after
> decoding any percent-encoded octets."
> 
> So consider:
> 
> POST /foo%2fbar HTTP/1.1
> Host: www.example.com
> 
> Unescaping %2f to "/" would yield a @path component value of
> 
> /foo/bar
> 
> is that really intended? I believe we need to have a look at the
> following cases:
> 
> - escaped characters that otherwise would delimit URI components (such
> as "?" or "#")
> 
> - escaped characters that otherwise have a special role inside a
> component (such as "/" in the path or "&" in a query)
> 
> - escaped characters that map to non-ASCII characters (do we care about
> encoding schemes, and if so, which?)
> 
> - escaped characters that might otherwise be problematic (%00 for instance)
> 
> I'm not sure yet what the correct approach would be, but whatever it is,
> it should be reflected in the examples.
> 
> Best regards, Julian
> 
> 
>

v2.15.0 | Report a Bug | By Email