-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing Empty / Absent Headers #1864
Comments
My understanding of the design was that the signature covered the message you receive. This would be a departure from that in that it encodes the value associated with the field into the signature description. I see that the current algorithm fails with an error if a field is listed but absent from the message. You could change that easily enough and encode absent fields1. Then, if you want to prevent the inclusion of a field, you would list it in Note that fields that are present but empty are not absent. These can be encoded already. Footnotes
|
Copying from the PR where @jricher says:
After that discussion and some consideration, I find I agree with the conclusion here. We shouldn't build in the ability to sign an absence. If you want something absent, then not signing it is sufficient. This is primarily because not signing something should -- ideally -- ensure that the recipient who depends on that signature will treat these extra pieces of the message as absent when it comes to processing messages. Even if they have been added, they are not signed and should not alter how the message is processed by the recipient. See Section 8.1 of RFC 3275 and subsections (reading the titles should suffice) for a succinct treatment of that. I was originally of the view that an approach where you have a specification of what is signed that is fixed no matter what the message is would be useful. For instance, if you believe that signing the X field is important, it might be useful to include that in (I still disagree with the second sentiment, but we can happily continue to disagree on that point without consequence, because it is moot.) |
I think that we've incorporated the warnings on the need to cover important elements with a signature in the security considerations: https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-10.html#name-insufficient-coverage Unless there's significant pull to do otherwise, I'm going to plan to close this issue and the associated PR with no action in the next week. |
Currently, an empty header can be included, but an absent header can't be guaranteed.
Proposal: add a boolean parameter for header field identifiers to mark a specific field as "not present" in the target message. Its value is an empty string. (Or should it be some special flag?)
If the verifier finds any header value with that name in the target message, throw an error.
The text was updated successfully, but these errors were encountered: