Skip to content

Commit

Permalink
Update draft-ietf-wimse-s2s-protocol.md
Browse files Browse the repository at this point in the history 
Co-authored-by: Brian Campbell <[email protected]>
  • Loading branch information
@jsalowey @bc-pi
jsalowey and bc-pi authored Oct 8, 2024
1 parent 98309db commit b9c20db
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion draft-ietf-wimse-s2s-protocol.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,7 @@ If the WIT only contains information that is already included in the POP signatu

If the system ensures that the information associated with a WIT is the same for a given key that is embedded in the WIT then the attacker will not be able to substitute a different WIT with the signature. Here to care must be taken to understand what is substantial difference is.

If the proof of possession includes the entire WIT in the signature then the signature will fail if the WIT is substituted and the attacker will not be able to replace the WIT.
If the proof of possession covers the entire WIT in the signature then the signature will fail if the WIT is substituted and the attacker will not be able to replace the WIT.

The last option to sign the WIT as part of the POP requires the least special verification steps. This is the approach taken by http message signatures in {{http-sig-auth}}. THe DPOP mechanism should take a similar approach if it continues to be part of the proposal.

Expand Down

0 comments on commit b9c20db

Please sign in to comment.