Issue with http sig request/response binding
Issue #575
resolved
As Justin brought up on today’s call, there is an issue with the way we use http sig:
https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0063.html
in particular this text from FAPI2 Message Signing:
1. shall cryptographically link the response to the request by including the request signature in the response signature input by means of the `req` boolean flag defined in 2.4 in [@!I-D.ietf-httpbis-message-signatures] on the signature field of the request that caused the response
Comments (5)
-
-
-
- changed milestone to 2nd Implementers Draft
-
assigned issue to
we’ve temporarily removed the http signature section, but will add back in once the issue is resolved in the core IETF spec
-
This is the PR on the IETF spec: https://github.com/httpwg/http-extensions/pull/2452
-
- changed status to resolved
issue already resolved
- Log in to comment
To mitigate this, the response should really just sign all of the request components that are required. This list could easily be taken from the requirements for signing requests in the first place, something like “@method, @target-uri, content-digest if applicable”, along with signing “signature and signature-input” as well won’t hurt, they just can’t be relied on for the transitive protection.