Signed HTTP Exchanges - authorization


I read the draft dated November 9th 2018 and there doesn't seem to be a way for a publisher to limit what intermediate parties are allowed to transfer the signed content on their behalf.
Why is this necessary?
- the publisher may want an agreement with intermediates to receive the access log for the signed http exchanges they are otherwise not aware of
- the publisher may only trust certain intermediates with the privacy considerations as listed in section 7

There are probably more reasons why adding a mechanism to only authorize certain intermediates (for example by hostname) is desirable.

-Sven Neuhaus

[electronica 2018 - Munich | 11/13/ - 11/16/2018 | Hall B4 | Booth 439]

Received on Monday, 12 November 2018 10:54:03 UTC