[doseta-discuss] Doing a DOSETA variant
Bill Burke
bburke at redhat.com
Wed Jul 13 13:57:34 PDT 2011
On 7/13/11 4:10 PM, Dave CROCKER wrote:
>
>
> On 7/12/2011 11:24 AM, Bill Burke wrote:
>>>> I'm not exactly clear what this section allows. For example. I'd like
>>>> to use
>>>> doseta to only sign a set of headers that come with the request
>>>
>>> You are describing a very different kind of rule for selecting header
>>> fields than the DOSETA base uses. Nothing says that using a template
>>> like this requires rigid adherence to every detail of the template. So,
>>> there's nothing wrong with what you want to do, of course, but it needs
>>> distinct specification language. (And, of course, it will affect the
>>> ability to use of any existing DOSETA software.)
>>>
>>
>> Oh. I thought DOSETA allowed you to add an arbitrary list of headers
>> to add to
>> the signature calculation? I just wanted the option to leave out the
>> "bh" field.
>
>
> Wow. Just re-read your text and got a completely different sense of what
> you want. This time I think I am in sych. Sorry for the confusion.
>
> I thought you wanted a variant of header field hashing, rather than
> merely wanting to leave out the body from the signature.
>
> If you do the full algorithm, but make l=0, I think you'll get the
> effect you want, since none of the body will be covered by the signature.
>
Yes, exactly :)
I also wanted to more cleanly separate the
verification/canonicalization/signing/signature template description
from key management/key discovery. Maybe even into a separate doc.
Reason? Other spec efforts may want to sign parts of an HTTP or Email
message and build off the work done by DKIM. But, may want a different
way to deal with key management/discovery.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the doseta-discuss
mailing list