[Openid-specs-fapi] HTTP Header data for FAPI HTTP Signing

Anders Rundgren anders.rundgren.net at gmail.com
Fri Jul 19 19:16:03 UTC 2019

Hi All,

This topic seems almost independent from other requirements, even including body encoding.

The most rigid/full solution for HTTP header data is simply copying the data as is.

AFAICT existing and proposed schemes rather hash arguments (after "normalization") and concatenating headers having the same name which though breaks down if servers modify, delete or add headers having the same name as one that is signed.

Personally I wouldn't worry too much about that; there is no absolute requirement that a standard must work in any configuration.

No matter what scheme you use, header data can only be verified by the outermost/receiving server while signatures (for schemes that support serialization NB) can be verified anytime.

Step 1-6 of https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00#section-6.3 describes an HTTP header hashing scheme.  Arguments for headers having the same name should preferably be ordered as well.


More information about the Openid-specs-fapi mailing list