Re: Petition advocating mandatory RFC 9421 adoption for signing user data from Lucas Pardue on 2025-06-26 (ietf-http-wg@w3.org from April to June 2025)

From: Lucas Pardue <lucas@lucaspardue.com>
Date: Thu, 26 Jun 2025 21:06:55 +0100
To: "Kirill Kutsenok" <kirill@reclaimprotocol.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Cc: "Madhavan Malolan" <madhavan@reclaimprotocol.org>
Message-Id: <b62a83f8-742f-4777-bdfc-c8f255c67002@app.fastmail.com>

Hi,

The petition includes the text:

> RFC 9421 is a protocol that ensures electronic responses, especially those containing personal data, are signed with a digital signature. This protocol not only verifies the source of the data but also secures its integrity during transmission.

This seems to ignore the requirements in RFC 9421 section 1.4 [1], with respect to how to apply HTTP Message Signatures.

It's also ambiguous what integrity is referring to. Perhaps section 7.2.8, Message content is not covered by HTTP Signatures. Although there are examples of how to use RFC 9530 for this capability, it is not a normative requirement of RFC 9421. And again, application of HTTP Signatures depends on section 1.4.

All that is to say, a profile or application mapping of these technologies to solve the problem is the prerequisite to efforts like this.

Cheers
Lucas

[1] - https://datatracker.ietf.org/doc/html/rfc9421#section-1.4

On Thu, Jun 12, 2025, at 12:50, Kirill Kutsenok wrote:
> Hello HTTP WG,
> 
> I would like to share a petition advocating for broader adoption and, where applicable, regulatory enforcement of RFC 9421 <https://www.rfc-editor.org/rfc/rfc9421.html>, which defines HTTP Message Signatures:
> https://www.change.org/p/mandate-rfc-9421-for-signing-digital-responses-containing-user-data
> 
> The motivation behind this effort is the increasing reliance on digital documents (such as bank statements or activity records) that users retrieve from websites and later present to third parties. Without a standard mechanism to authenticate these documents, their integrity and origin are often difficult to verify. RFC 9421 offers a potential solution by enabling digital signatures on HTTP responses, allowing recipients to validate the source and contents of the data.
> 
> The petition specifically calls for policymakers, regulators, and platform providers to consider mandating support for this mechanism in contexts where users are expected to share digital records with third parties. While widespread voluntary adoption would be beneficial, regulatory endorsement could provide a clearer trust model for consumers and relying parties.
> 
> While this initiative is not affiliated with the IETF, I thought it relevant to share with the working group given the technical overlap. Feedback is welcome, especially regarding real-world deployment considerations or known challenges with adoption.
> 
> Thanks for your time.
> 
> —
> Kirill Kutsenok  
> Cryptography Researcher, Reclaim Protocol (https://reclaimprotocol.org)

Received on Thursday, 26 June 2025 20:07:20 UTC