[Openid-specs-fapi] Signed HTTP in IETF
Anders Rundgren
anders.rundgren.net at gmail.com
Sun Apr 19 14:09:27 UTC 2020
Cavage HTTP Signatures appears to have become an HTTP-bis item:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/
Even if it becomes an IETF standard, I will most likely stick to my current https://cyberphone.github.io/doc/web/yasmin.html scheme because using HTTP headers for carrying data of such importance that it must be signed seems like a not entirely recommendable solution since such data may not survive proxies etc. The "predecessor" WS-Security did (AFAICT) not depend on such features either.
In addition, counter-signing which is great way simplifying system design, also becomes a breeze if you stick to HTTP bodies:
https://cyberphone.github.io/doc/saturn/bank2bank-payment.html#6
However, putting an explicit "recepientUrl" in message requests is though logical since it is useful information for both parties (where did I send it? am I the proper receiver?):
https://cyberphone.github.io/doc/saturn/bank2bank-payment.html#4
thanx,
Anders
More information about the Openid-specs-fapi
mailing list