New version of draft-yasskin-http-origin-signed-responses-02

I've updated my signed-exchanges draft that was previously discussed at

A list of significant changes is at

Please look at the sections titled "Open Questions" and propose some
answers. :)

What kinds of changes and/or reviews do you want before adopting this as a
WG draft, perhaps at IETF101?

The one negative comment I've gotten is from Ekr, who wants clients to make
a TLS connection to the true origin (or, via the CERTIFICATE frame, to
anyone who's been issued a fake certificate) to validate the exchange. To
attempt to address this, the draft now insists that the signature's
"validityUrl" be same-origin with the claimed request URI, and
suggests that clients can fetch that URL more eagerly than just when the
signature expires.

We have an implementation in progress in Chromium:


Received on Monday, 29 January 2018 16:57:33 UTC