Re: Call for adoption: draft-hardt-httpbis-signature-key-01 (Ends 2026-02-26) from Anders Rundgren on 2026-02-13 (ietf-http-wg@w3.org from January to March 2026)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 13 Feb 2026 08:51:37 +0100
To: Martin Thomson <mt@lowentropy.net>, ietf-http-wg@w3.org
Message-ID: <a906c583-c13b-4b6e-8ca6-902b7e2d9903@gmail.com>
On 2026-02-13 07:09, Martin Thomson wrote:
> I'd like to see more discussion on use cases that would motivate the panoply of formats that this proposes.  It might be better, in the spirit of RFC 9170, to have multiple fields rather than a single field with such extreme diversity as this proposes.
> 
> I know that it's tempting to try to sweep all the use cases away in one action, but what the proposed design is more likely to produce (in my view, at least) is some successful variants, some unsuccessful variants, and a whole bunch of interoperability failure as people use incompatible variants.  The only outcomes that will be interoperable are (again, my prediction) is isolated ecosystems that happily use their chosen variants, or less isolated ecosystems that pick a single, de-facto winner.


It may be worth knowing that there are other and quite different paths to the same goal. Here is a [verifiable] sample message using CBOR, where the message including its (embedded) signature is rather put in the request BODY:

1010(["https://example.com/standards/purchase-order", {  # Object ID
   "url": "https://enterprice.com/orders",  #   Target URL
   "unit": "coffee",
   "quantity": 250,
   simple(99): {   # Embedded signature container
     1: -19,   # COSE Ed25519 signature algorithm
     4: {   # COSE public key container
       1: 1,
       -1: 6,
       -2: h'fe49acf5b92b6e923594f2e83368f680ac924be93cf533aecaf802e37757f8c9'
     },
     # Signature value
     6: h'870c384dc1b051da5e15f2926a96cb4eb25f4c05a537835d80cace00c008e7376dff961b434b16612fc09ab08c51e3283f6a709c2e011becd808664ca99ae902'
   }
}])

Why would you do that you may [rightfully] wonder? Well, if you want to serialize messages, this scheme makes serialization straightforward.

Anders
https://test.webpki.org/csf-lab/home

> 
> On Fri, Feb 13, 2026, at 15:06, Tommy Pauly wrote:
>> Hi HTTP,
>>
>> As this email notes, we’re starting a call for adoption on
>> draft-hardt-httpbis-signature-key. We’ve had some discussion on list,
>> and also would plan to have time at IETF 125 to discuss. Please take a
>> look and let us know if you think this a document the working group
>> should adopt.
>>
>> Best,
>> Tommy
>>
>>> On Feb 12, 2026, at 8:04 PM, Tommy Pauly via Datatracker <noreply@ietf.org> wrote:
>>>
>>> This message starts a httpbis WG Call for Adoption of:
>>> draft-hardt-httpbis-signature-key-01
>>>
>>> This Working Group Call for Adoption ends on 2026-02-26
>>>
>>> Abstract:
>>>    This document defines the Signature-Key HTTP header field for
>>>    distributing public keys used to verify HTTP Message Signatures as
>>>    defined in RFC 9421.  Four initial key distribution schemes are
>>>    defined: pseudonymous inline keys (hwk), identified signers with JWKS
>>>    URI discovery (jwks_uri), X.509 certificate chains (x509), and JWT-
>>>    based delegation (jwt).  These schemes enable flexible trust models
>>>    ranging from privacy-preserving pseudonymous verification to PKI-
>>>    based identity chains and horizontally-scalable delegated
>>>    authentication.
>>>
>>> Please reply to this message and indicate whether or not you support adoption
>>> of this Internet-Draft by the httpbis WG. Comments to explain your preference
>>> are greatly appreciated. Please reply to all recipients of this message and
>>> include this message in your response.
>>>
>>> Authors, and WG participants in general, are reminded of the Intellectual
>>> Property Rights (IPR) disclosure obligations described in BCP 79 [2].
>>> Appropriate IPR disclosures required for full conformance with the provisions
>>> of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any.
>>> Sanctions available for application to violators of IETF IPR Policy can be
>>> found at [3].
>>>
>>> Thank you.
>>> [1] https://datatracker.ietf.org/doc/bcp78/
>>> [2] https://datatracker.ietf.org/doc/bcp79/
>>> [3] https://datatracker.ietf.org/doc/rfc6701/
>>>
>>> The IETF datatracker status page for this Internet-Draft is:
>>> https://datatracker.ietf.org/doc/draft-hardt-httpbis-signature-key/
>>>
>>> There is also an HTML version available at:
>>> https://www.ietf.org/archive/id/draft-hardt-httpbis-signature-key-01.html
>>>
>>> A diff from the previous version is available at:
>>> https://author-tools.ietf.org/iddiff?url2=draft-hardt-httpbis-signature-key-01
>
Received on Friday, 13 February 2026 07:51:48 UTC