[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures

Anders Rundgren anders.rundgren.net at gmail.com
Thu Mar 14 09:50:59 UTC 2019


On 2019-03-14 10:17, Philippe Leothaud via Openid-specs-fapi wrote:
> Hi Dave,
> 
> there is alo this one :
> 
> "If there are multiple instances of the same header field, all header field values associated with the header field MUST be concatenated, separated by a ASCII comma and an ASCII space `, `, and used in the order in which they will appear in the transmitted HTTP message"
> 
> This is a real problem cause as soon as you go through a proxy/reverse proxy the order is not guaranteed...
> 
> One example is if you want to sign the Set-Cookie header ;-)

Hi Phil,

My 00 draft reads:

    "For interoperability reasons it is RECOMMENDED to not use duplicate
     header names for headers that are to be signed"

I just removed this paragraph. Do you think I should restore it?

AWS do not seem to have a solution either:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

Anders

> 



More information about the Openid-specs-fapi mailing list