- From: The IESG <iesg-secretary@ietf.org>
- Date: Wed, 16 Aug 2023 06:48:50 -0700
- To: "IETF-Announce" <ietf-announce@ietf.org>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-message-signatures@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, paul.wouters@aiven.io, rfc-editor@rfc-editor.org, tpauly@apple.com
The IESG has approved the following document: - 'HTTP Message Signatures' (draft-ietf-httpbis-message-signatures-19.txt) as Proposed Standard This document is the product of the HTTP Working Group. The IESG contact persons are Murray Kucherawy, Paul Wouters and Francesca Palombini. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/ Technical Summary This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer, and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange. Working Group Summary At IETF 114, there was concern raised (by Chris Wood) that there should be more formal analysis performed, akin to the process normally used in CFRG. This document was then presented at IETF 115 in SAAG for broad discussion of formal analysis as well as to get specific feedback on this document. The sense of that room was that formal analysis was not a gating factor that is present for security documents, and the comments about this document were positive. Separately, an academic formal analysis is ongoing, but the chairs have decided to progress this document to the IETF and IESG in parallel with that work. Document Quality This document spent a couple years in the working group, and got feedback from many contributors, both from people specifically interested in signatures, as well as the people involved in generic HTTP. It received quite careful review and the shepherd senses it has broad agreement. The WGLC didn't receive many specific email responses, but there was sufficient discussion on GitHub and in the meeting to confirm consensus. There are many implementations of earlier versions of signatures, and this version has also received implementation and interop testing, which has been discussed and presented to the working group. (Note that this is not documented in the document itself.) This document mainly overlaps with security area. It received an early SecDir review last year, as well as extra reviews in the past month by security area reviewers (such as Kyle Rose). Personnel Document Shepherd: Tommy Pauly Responsible Area Director: Paul Wouters stepping in for Francesca Palombini
Received on Wednesday, 16 August 2023 13:48:58 UTC