- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 31 Oct 2025 12:23:23 +0100
- To: Christopher Patton <cpatton@cloudflare.com>, ietf-http-wg@w3.org
Hi Chris, I have not evaluated your solution for replay protection, I have rather thought a bit about possible issues with bot security and signatures. HTTP Signatures (RFC 9412) are fine but lack one item: a serialization format. Due to this I'm working with signature schemes that are more adapted for Embedding, Counter-signatures, Multi-hop, and Archival: https://github.com/cyberphone/cbor-everywhere/tree/main?tab=readme-ov-file#signed-http-requests Just some food for thoughts. Regards, Anders On 2025-10-30 16:31, Christopher Patton wrote: > HI all, > > The newly minted Web Bot Auth WG is considering a use case for RFC 9421. However, Jonathan Hoyland and I are concerned that this authentication mechanism may be insufficient for the security of the use case. > > With that in mind, we'd appreciate your feedback on the following (short!) draft that defines an HTTP signature component for binding to the TLS channel: > https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/ <https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/> > > We're interested to know if the WG had considered TLS binding while working on RFC 9421 (I wasn't around for this process) and what the best way is to implement it. > > Note: We're not seeking adoption by HTTPBIS at this time. We're planning to present the draft at Web Bot Auth next week. In preparing for that presentation, we'd like to know if you all think this draft is useful and going in the right direction. > > Thanks in advance! > Chris P.
Received on Friday, 31 October 2025 11:23:30 UTC