Re: Binding HTTP signatures (RFC 9421) to TLS from David Benjamin on 2025-10-31 (ietf-http-wg@w3.org from October to December 2025)

From: David Benjamin <davidben@chromium.org>
Date: Fri, 31 Oct 2025 12:48:43 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Christopher Patton <cpatton@cloudflare.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAF8qwaCVbAo28nQTD2pfEF97nrzebtdkkn-3G7VGY+U6orGJ5g@mail.gmail.com>

How does this compare to using something like
https://www.rfc-editor.org/rfc/rfc9729.html

HTTP message signatures is trying to sign the abstract HTTP message, in a
way that still passes through intermediaries and the various different ways
they can be encoded. And so it paid an inordinate amount of complexity to
try to sign things in a way that was independent of these transforms.

But by adding a channel binding, none of that applies anymore. So all the
complexity seems to be a waste, because you're not actually signing an
abstract HTTP message. You're signing a particular channel that carried the
HTTP message.

Have you considered instead something closer to HTTP auth? E.g. RFC 9729
signs a channel binding.
https://www.rfc-editor.org/rfc/rfc9729.html

On Fri, Oct 31, 2025, 07:28 Anders Rundgren <anders.rundgren.net@gmail.com>
wrote:

> Hi Chris,
> I have not evaluated your solution for replay protection, I have rather
> thought a bit about possible issues with bot security and signatures.
>
> HTTP Signatures (RFC 9412) are fine but lack one item: a serialization
> format.  Due to this I'm working with signature schemes that are more
> adapted for Embedding, Counter-signatures, Multi-hop, and Archival:
>
> https://github.com/cyberphone/cbor-everywhere/tree/main?tab=readme-ov-file#signed-http-requests
>
> Just some food for thoughts.
>
> Regards,
> Anders
>
> On 2025-10-30 16:31, Christopher Patton wrote:
> > HI all,
> >
> > The newly minted Web Bot Auth WG is considering a use case for RFC 9421.
> However, Jonathan Hoyland and I are concerned that this authentication
> mechanism may be insufficient for the security of the use case.
> >
> > With that in mind, we'd appreciate your feedback on the following
> (short!) draft that defines an HTTP signature component for binding to the
> TLS channel:
> >
> https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/
> <
> https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/
> >
> >
> > We're interested to know if the WG had considered TLS binding while
> working on RFC 9421 (I wasn't around for this process) and what the best
> way is to implement it.
> >
> > Note: We're not seeking adoption by HTTPBIS at this time. We're planning
> to present the draft at Web Bot Auth next week. In preparing for that
> presentation, we'd like to know if you all think this draft is useful and
> going in the right direction.
> >
> > Thanks in advance!
> > Chris P.
>
>
>

Received on Friday, 31 October 2025 16:49:03 UTC