W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2019

Re: New I-D: HTTP Message Signatures

From: Rob Sayre <sayrer@gmail.com>
Date: Sun, 15 Dec 2019 13:12:11 -0800
Message-ID: <CAChr6SyUXwg061TAf2TA4C83WjQw8rJDaP4Jh8ijBDhiHbz-pQ@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Justin Richer <justin@bspk.io>, Manu Sporny <msporny@digitalbazaar.com>
On Thu, Dec 12, 2019 at 4:22 PM Richard Backman, Annabelle <
richanna@amazon.com> wrote:

> Hello HTTP Working Group,
> I have just published a new I-D on an old topic, HTTP Message Signatures:
> https://datatracker.ietf.org/doc/draft-richanna-http-message-signatures/
> This document describes a mechanism for creating, encoding, and verifying
> digital signatures or message authentication codes over content within an
> HTTP message. This mechanism supports use cases where the full HTTP message
> may not be known to the signer, and where the message may be transformed
> (e.g., by intermediaries) before reaching the verifier.
> There is growing widespread interest in this topic (see Justin Richer’s
> SecDispatch presentation at IETF 106); the goal of this draft is to provide
> a general purpose signing mechanism that can be used directly or profiled
> to fit specific use cases.


Thanks for writing this up. I'd like Appendix B to compare and contrast the
draft with AWSv4, which seems to be good enough for many use cases.

In particular, I've noticed that mobile clients tend to segment uploads so
they can be resumed, and servers segment streaming media so they can switch
quality settings using things like HLS and DASH.

Received on Sunday, 15 December 2019 21:12:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC