[Openid-specs-fapi] Signed HTTP in IETF

Anders Rundgren anders.rundgren.net at gmail.com
Sun Apr 19 14:09:27 UTC 2020

Cavage HTTP Signatures appears to have become an HTTP-bis item:

Even if it becomes an IETF standard, I will most likely stick to my current https://cyberphone.github.io/doc/web/yasmin.html scheme because using HTTP headers for carrying data of such importance that it must be signed seems like a not entirely recommendable solution since such data may not survive proxies etc.  The "predecessor" WS-Security did (AFAICT) not depend on such features either.

In addition, counter-signing which is great way simplifying system design, also becomes a breeze if you stick to HTTP bodies:

However, putting an explicit "recepientUrl" in message requests is though logical since it is useful information for both parties (where did I send it? am I the proper receiver?):


More information about the Openid-specs-fapi mailing list