HTTP Requests with no certification still require IC-Certificate

I have an http request to a canister (via the http_request and http_request_update methods) that I purposefully do not want to have certification for and so I have been adding the no certification validation args to the IC-CertificateExpression header in order to avoid certification on those methods. The problem is that the request still fails with the following error:

Response verification failed: Certification values not found

Looking through the spec https://internetcomputer.org/docs/references/http-gateway-protocol-spec#response-verification-outline it seems like this is by design. The very first thing it does is check that you have a valid certificate set up in the IC-Certificate header, and it isn’t until step 7 and 8 that it looks for the IC-CertificateExpression to see if the certification has been turned off. So even though I am not doing any certification I am still required to provide all of the certification info for steps 1-6 to succeed. It feels like it would make more sense to check the IC-CertificateExpression as the very first step so that if it’s turned off it’s not required to supply anything else.

Which repository would be best to open an issue in to request that the order of the Response Verification procedure be modified to support that?

Additional Context

Normally I would use the raw subdomain to work around this but in my WSL environment localhost subdomains aren’t resolving properly. Using the IC-CertificateExpression seemed like it would provide the solution I needed, but as explained above, the order of resolution is giving me some trouble.

Hey @bdemann

Indeed, this is by design: you can skip certification, but that needs to be certified. This sounds a bit counterintuitive, but let me explain:

Certification is useful for queries, where a single replica node replies. Without certification, the replica could just inject any response it wanted to. With certification, there is the guarantee that the replicas in the subnet agree on the response. Now, if you could just set IC-CertificateExpression to skip certification a single replica could always set that and avoid certification altogether. However, sometimes it is needed to not certify a response (e.g., for dynamic data like metrics). In that case, a developer can decide to skip certification, but that has to be agreed upon by the replicas in the subnet.

You can find an example of how to “certifiably skip certification” here.

What we’re really looking for is the equivalent of the raw subdomain on localhost when you’re in an environment that doesn’t support localhost subdomains.

Do you have any suggestions for how to accomplish this? We just want the easiest way to do this, we have a few failing tests because of this, in WSL localhost subdomains are not working for us.