Skip to main content

7.4.4. Multiple Message Component Contexts

7.4.4. Multiple Message Component Contexts

It is possible that the context for deriving message component values could be distinct for each signature present within a single message. This is particularly the case when proxies mutate messages and include signatures over the mutated values, in addition to any existing signatures. For example, a reverse proxy can replace a public hostname in a request to a service with the hostname for the individual service host to which it is forwarding the request. If both the client and the reverse proxy add signatures covering @authority, the service host will see two signatures on the request, each signing different values for the @authority message component, reflecting the change to that component as the message made its way from the client to the service host.

In such a case, it's common for the internal service to verify only one of the signatures or to use externally configured information, as discussed in Section 7.4.3. However, a verifier processing both signatures has to use a different message component context for each signature, since the component value for the @authority component will be different for each signature. Verifiers like this need to be aware of both the reverse proxy's context for incoming messages and the target service's context for the message coming from the reverse proxy. The verifier needs to take particular care to apply the correct context to the correct signature; otherwise, an attacker could use knowledge of this complex setup to confuse the inputs to the verifier.

Such verifiers also need to ensure that any differences in message component contexts between signatures are expected and permitted. For example, in the above scenario, the reverse proxy could include the original hostname in a Forwarded header field and could sign @authority, forwarded, and the client's entry in the Signature field. The verifier can use the hostname from the Forwarded header field to confirm that the hostname was transformed as expected.

Last updated on