New I-D: HTTP Message Signatures

Hello HTTP Working Group,

I have just published a new I-D on an old topic, HTTP Message Signatures: https://datatracker.ietf.org/doc/draft-richanna-http-message-signatures/


This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over content within an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer, and where the message may be transformed (e.g., by intermediaries) before reaching the verifier.

There is growing widespread interest in this topic (see Justin Richer’s SecDispatch presentation at IETF 106); the goal of this draft is to provide a general purpose signing mechanism that can be used directly or profiled to fit specific use cases. This draft is based on draft-cavage-http-signatures-12<https://tools.ietf.org/id/draft-cavage-http-signatures-12.txt>, which has been under independent development for several years. While we have identified several issues with that draft, in the interests of maintaining continuity with that work, we have avoided making normative changes at this time and instead documented these issues as topics for discussion. We would like the HTTP working group to consider adopting this draft, so that this discussion can happen in an open forum, with the right audience.

Please read and reply with any questions or feedback you have.

–
Annabelle Richard Backman
AWS Identity

Received on Friday, 13 December 2019 00:18:41 UTC