New I-D: draft-hardt-httpbis-signature-key-00 (HTTP Signature-Key Header) from Dick Hardt on 2026-01-07 (ietf-http-wg@w3.org from January to March 2026)

From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 7 Jan 2026 19:33:58 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: ot-ietf@thibault.uk, Annabelle Richard <richanna@amazon.com>, ietf@justin.richer.org, Manu Sporny <msporny@digitalbazaar.com>
Message-ID: <CAD9ie-s+kTMe=+Dz5eSJwOYTp230hyUh77yMqYj6XsZ2wUkWWg@mail.gmail.com>

  Hey,

  I've just submitted a new individual draft that defines the Signature-Key
HTTP header field for distributing public keys used to verify HTTP Message
Signatures (RFC 9421):

  https://datatracker.ietf.org/doc/draft-hardt-httpbis-signature-key/

  *Problem*: To verify an HTTP Message Signature, the verifier needs the
signer's public key. While RFC 9421 defines signature creation and
verification procedures, it intentionally leaves key distribution to
application protocols, recognizing that different deployments have
different trust requirements.

  *Solution*: The Signature-Key header enables signers to provide their
public key or a reference to it directly in the HTTP message, allowing
verifiers to obtain keying material without prior coordination.

  Four schemes are defined:
  - hwk - Inline public keys for pseudonymous verification
  - jwks_uri - Identified signers with JWKS discovery via metadata
  - x509 - Certificate-based verification with PKI trust chains
  - jwt - Delegated keys embedded in signed JWTs for horizontal scale

  The draft is co-authored with Thibault Meunier (Cloudflare), and we
welcome feedback on the approach and schemes.

  /Dick

Received on Wednesday, 7 January 2026 18:34:39 UTC