Roberto Polli

Sensitive information like Authorization should not be passed in query string. Allowing insecure implementations is problematic: JWT needed a [whole new draft](https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-07) to address security issues. My understanding is that...

@msporny can we close this issue?

@mnot does it sound reasonable to you?

I suggest to define the authorization header in another draft. This one is already too complex. Il gio 15 ago 2019, 20:34 Andrew Jones ha scritto: > In the signature...

@msporny > the spec tries not to be super prescriptive about which headers are signed That's clear. The point is: 1. Content-{Type,Encoding,Language,Location} representation metadata they act on the representation (aka...

@dlongley afaik as `Digest` is a property of the selected representation: - MUST be calculated on the Content-Encoded payload - MUST be validated *before decoding*. > so signing Content-Encoding may...

> IETF frowns upon having two [identical] RFCs I understand. I see though that with signature and authentication we have two big challenges that may be complex to address in...

@LPardue I had a brief discussion on updating RFC 3230 to reference "Selected Representation" here - https://github.com/martinthomson/http-mice/issues/11#issuecomment-409415793 How did it end with your `Digest` header? PS: check your 19jul emails...

@msporny probably the first step is to add all those considerations to the [Security] section.

We're addressing this in https://datatracker.ietf.org/doc/draft-polli-resource-digests-http/