Binding HTTP signatures (RFC 9421) to TLS from Christopher Patton on 2025-10-30 (ietf-http-wg@w3.org from October to December 2025)

From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 30 Oct 2025 08:31:33 -0700
To: ietf-http-wg@w3.org
Message-ID: <CAG2Zi20rAwDcP9mi2a+d6EJaK94r+bLSVksvat0Z=0XPwNsTXA@mail.gmail.com>

HI all,

The newly minted Web Bot Auth WG is considering a use case for RFC 9421.
However, Jonathan Hoyland and I are concerned that this authentication
mechanism may be insufficient for the security of the use case.

With that in mind, we'd appreciate your feedback on the following (short!)
draft that defines an HTTP signature component for binding to the TLS
channel:
https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/

We're interested to know if the WG had considered TLS binding while working
on RFC 9421 (I wasn't around for this process) and what the best way is to
implement it.

Note: We're not seeking adoption by HTTPBIS at this time. We're planning to
present the draft at Web Bot Auth next week. In preparing for that
presentation, we'd like to know if you all think this draft is useful and
going in the right direction.

Thanks in advance!
Chris P.

Received on Thursday, 30 October 2025 15:32:50 UTC