[12:53:02] <lucaspardue> @Mark Nottingham I messed up the digests slides first time around, I have a PR with a more correct version at https://github.com/httpwg/wg-materials/pull/57
[12:53:08] <Mark Nottingham> sigh
[12:53:37] <Mark Nottingham> you're taking minutes, Lucas :)
[12:53:46] <lucaspardue> apologies
[12:54:12] <Mark Nottingham> someone is on the webex as "self-isolate"
[12:54:24] <Mark Nottingham> Either they typed the password in the username field, or they're being funny
[12:56:37] <lucaspardue> wow my machine is failing to find my audio hardware, let me dig out the backup
[12:59:12] <Tommy Pauly> Blue sheet is here: https://etherpad.ietf.org:9009/p/notes-ietf-interim-2020-httpbis-01-httpbis?useMonospaceFont=true
[13:05:36] <Martin Thomson> Fabulous, lost slides again...
[13:06:13] <Martin Thomson> Question: what do you do with all the stuff that isn't signed again?
[13:06:41] <jhoyla> Me too, Webex is not the most reliable software I have ever used.
[13:08:37] <Martin Thomson> Why would you ever not include the request target?
[13:09:25] <lucaspardue> because its a response?
[13:09:43] <Martin Thomson> exactly - are you ever in a position to be confused about that?
[13:10:41] <Roberto Polli> +1 for Signature-Input though it's similar to Signed-Headers from webpackage
[13:11:13] <Roberto Polli> @lucaspardue imho the spec should work for both requests and responses
[13:12:40] <jhoyla> What does it mean to have one signature cover another?
[13:12:54] <jhoyla> As in, what information is that intended to convey?
[13:13:58] <lucaspardue> "intermediary N is signing the downstream's provided headers"
[13:14:50] <jhoyla> Does that require the intermediary to not modify the headers at all?
[13:15:16] <Martin Thomson> https://gist.github.com/martinthomson/4e777ba5e5fdfa73cce1544b17d689ba
[13:16:47] <Roberto Polli> Q1: in both the slides and gh there's a proposal to remove `expires`. imho it not a secure choice as it put the signature out of control of the signer
[13:17:49] <Martin Thomson> Roberto: can you turn your video off please?
[13:18:57] <Roberto Polli> Q2: Probably I would retain the signature and its metadata together
[13:19:34] <hardie> Do we have a jabber relay?
[13:20:35] <James Gruessing> It appears we don’t explicitly.
[13:20:59] <hardie> Since Roberto is speaking, we apparently don't need it at the moment.
[13:25:13] <Martin Thomson> where are the slides?  I can't find them on the GitHub Repo
[13:26:18] <jhoyla> Ugh, slides died again ...
[13:26:21] <James Gruessing> Martin: https://github.com/httpwg/wg-materials/tree/gh-pages/interim-20-05 if you’re talking about Annabelle’s slides, I think Mark said they’d be added later?
[13:26:52] <Martin Thomson> ahh, I missed the bit where they weren't available ahead of time
[13:27:24] <James Gruessing> Apparently they were only emailed 10 minutes before start of meeting.
[13:27:41] <Martin Thomson> That was very tolerant of Mark on our behalf
[13:32:06] <bdc> Mark and Tommy had asked that slides be sent a week before...
[13:32:32] <hardie> Experimental if there is no client implementation seems like a useful way to get this documented and allow for some use.
[13:37:41] <Martin Thomson> Nope
[13:41:59] <Roberto Polli> lucaspardue: parameters could be useful for MICE+digest
[13:48:45] <Martin Thomson> lucaspardue: I think that Watson is right if you are talking about protecting using sha-256 (for example), but id-sha-256 isn't vulnerable to the same.
[13:50:58] <lucaspardue> yeah I tend to agree
[13:52:01] <Martin Thomson> Of course, the proxy that translates content codings needs to recalculate the digest, so you are pretty much guaranteed to be exposed to not just bugs in the implementation, but malice or incompetence at the proxy
[14:04:35] <lucaspardue> yeah, I think an origin worried about this would want to provide the `id-sha-256` in the hope that it makes it all the way through to the client
[14:04:58] <jhoyla> This sounds like a job for a Ph.D. student.
[14:05:15] <jhoyla> Important + not urgent is where Ph.D. students live :P.
[14:09:35] <Martin Thomson> send in midders.  only.
[14:10:57] <Martin Thomson> this is a clear extension to me, as it doesn't affect any processing
