[Openid-specs-fapi] Request-Response Binding Issues in httpbis-message-signatures-15
Brian Campbell
bcampbell at pingidentity.com
Thu Feb 9 21:44:45 UTC 2023
For a little more context, this
https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0063.html is
the start of the thread on the topic that's being alluded to.
On Thu, Feb 9, 2023 at 1:12 AM Anders Rundgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> When reading the exchanges on this topic, I've become even more convinced
> that signature schemes based on HTTP headers may not be for everybody. An
> alternative design pattern using CBOR + deterministic serialization:
>
> Request body:
> {
> request data...,
> enveloped request signature
> }
>
> Response body:
> {
> response data...,
> // counter-signed request object
> request: {
> request data...
> enveloped request signature
> },
> enveloped response signature
> }
>
> Request data would typically include URI (and optionally method) but that
> would be it.
>
> For those who consider faithfulness to IETF standards as paramount, using
> COSE/JOSE and associated libraries would work right out of the box, albeit
> at a loss of readability.
>
> The ability to serialize requests is an important part of the plot.
>
> Anders
> https://github.com/cyberphone/cbor-everywhere
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230209/7d8bf71a/attachment.html>
More information about the Openid-specs-fapi
mailing list