7.4.2. Matching Values of Covered Components to Values in the Target Message

7.4.2. Matching Values of Covered Components to Values in the Target Message

The verifier needs to make sure that the signed message components match those in the message itself. For example, the @method derived component requires that the value within the signature base be the same as the HTTP method used when presenting this message. This specification encourages this by requiring the verifier to derive the signature base from the message, but lazy caching or conveyance of a raw signature base to a processing subsystem could lead to downstream verifiers accepting a message that does not match the presented signature.

To counter this, the component that generates the signature base needs to be trusted by both the signer and verifier within a system.