[Openid-specs-fapi] Request-Response Binding Issues in httpbis-message-signatures-15
Anders Rundgren
anders.rundgren.net at gmail.com
Thu Feb 9 08:11:49 UTC 2023
When reading the exchanges on this topic, I've become even more convinced that signature schemes based on HTTP headers may not be for everybody. An alternative design pattern using CBOR + deterministic serialization:
Request body:
{
request data...,
enveloped request signature
}
Response body:
{
response data...,
// counter-signed request object
request: {
request data...
enveloped request signature
},
enveloped response signature
}
Request data would typically include URI (and optionally method) but that would be it.
For those who consider faithfulness to IETF standards as paramount, using COSE/JOSE and associated libraries would work right out of the box, albeit at a loss of readability.
The ability to serialize requests is an important part of the plot.
Anders
https://github.com/cyberphone/cbor-everywhere
More information about the Openid-specs-fapi
mailing list