Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a versioning scheme #53

Open
ioggstream opened this issue Apr 15, 2019 · 3 comments · May be fixed by #56
Open

Support a versioning scheme #53

ioggstream opened this issue Apr 15, 2019 · 3 comments · May be fixed by #56
Labels
enhancement New feature, extension project Meta issue on project, principles, processes protocol Core mechanics of the protocol

Comments

@ioggstream
Copy link
Contributor

I expect

HTTP Signatures supports a versioning scheme, so I can evolve the spec and be backward compatible during upgrades.

About protocol evolution, see https://tools.ietf.org/id/draft-thomson-postel-was-wrong-03.html

Instead

There's no version field

Proposal

1- Add a mandatory v field to Signature, eg:

Signature: v="1.2.3", ...

2- The Signature is always added as a meta-header as the first element of the signed string

(v): 1.2.3
(request-target): get /foo
...

3- The (v) meta-header is not mentioned in the headers component of the Signature header

4- The value of v must be validated before processing the Signature

5- (obviously) if v and (v) don't match, the hash of the signature won't match, thus making proper versioning mandatory.

@msporny
@ioggstream ioggstream mentioned this issue Apr 15, 2019
Merged
@ioggstream ioggstream linked a pull request May 6, 2019 that will close this issue
Open
@liamdennehy liamdennehy added enhancement New feature, extension project Meta issue on project, principles, processes protocol Core mechanics of the protocol labels Aug 22, 2019
@liamdennehy
Copy link
Contributor

liamdennehy commented Aug 22, 2019
edited
Loading

I vote no.

This project aims to publish a specification as an IETF RFC, and ideally should present a single, coherent protocol. That we have had some iterations and even breaking changes over the course of its development is unfortunate, but I think the aim here is to get to that single protocol.

Capturing and forcing compatibility with every legacy step - some of which we acknowledge have negative security implications such as algorithm - would simply make this a beast to implement in its entirety, and so hinder adoption.

Yes there has already been quite an investment by some parties to implement various versions of the draft, but the risk was always there as this is a draft.

I'm not proposing breaking things intentionally or pulling the plug without consideration, but we need to think about what goal we are trying to achieve and whether these choices support that goal.

@ioggstream ioggstream mentioned this issue Aug 26, 2019
Open
@liamdennehy
Copy link
Contributor

While (v) would clearly show which version a signature was generated under - and should be verified against - this would start by creating a compatibility break point, and add complexity to the scheme's final version not least of which is coming up with version semantics.
#88

@ioggstream
Copy link
Contributor Author

this would start by creating a compatibility break

That's fine as long as the backward-compatibility won't hinder the adoption of this I-D: it would be reasonable to ask for a quick review from the http-wg.

Note that this consideration is non necessarily related to (v) as the version could be passed in many ways.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature, extension project Meta issue on project, principles, processes protocol Core mechanics of the protocol
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] Add a version parameter. ioggstream/http-signatures
2 participants
@ioggstream @liamdennehy