[Openid-specs-fapi] Issue #541: HTTP Signatures (openid/fapi)
Justin Richer
issues-reply at bitbucket.org
Wed Sep 14 14:13:52 UTC 2022
New issue 541: HTTP Signatures
https://bitbucket.org/openid/fapi/issues/541/http-signatures
Justin Richer:
The section on the use of HTTP Message Signing \([https://openid.bitbucket.io/fapi/fapi-2\_0-advanced.html#name-http-message-signing](https://openid.bitbucket.io/fapi/fapi-2_0-advanced.html#name-http-message-signing)\) is difficult to follow for an implementor. I would suggest the following changes to improve both its effectiveness and security:
* split both the “client” and “RS” sections into “signer” and “verifier” roles for each. Right now it’s confusing that the client would need to pull the RS’s key when the rest of the requirements are for signing.
* Alternatively, split into “requests from the client to the RS” and “responses from the RS to the client”, and give requirements for both the signer and verifier in each case.
* don’t sign the “date” header – it’s often not available to higher level applications. Instead use the “created” signature parameter
* define a value for “context” parameter \(new parameter in the signatures draft\) for both requests and responses. Can be a fixed string or pattern to detect, but recommend a fixed string of “fapi-2-advanced-request” and “fapi-2-advanced-response” or something like that
More information about the Openid-specs-fapi
mailing list