[Openid-specs-fapi] Issue #714: Multiple HTTP message signatures in a single HTTP message (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Wed Sep 11 21:50:14 UTC 2024
New issue 714: Multiple HTTP message signatures in a single HTTP message
https://bitbucket.org/openid/fapi/issues/714/multiple-http-message-signatures-in-a
Takahiko Kawasaki:
An HTTP message can contain multiple HTTP message signatures. Does Section 5.6, “[HTTP message signing](https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html#section-5.6)” of the “[FAPI 2.0 Message Signing](https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html)” specification, require all HTTP message signatures to meet the FAPI 2.0 requirements? Or is it sufficient for an HTTP message to include at least one HTTP message signature that satisfies the FAPI 2.0 requirements?
Requiring all HTTP message signatures to comply with the FAPI 2.0 requirements could make it difficult for application-specific HTTP message signatures to coexist with the FAPI 2.0 Message Signing specification. Therefore, my sense is that the specification should not mandate that all HTTP message signatures meet these requirements, and the specification should explicitly state that a single HTTP message signature meeting the requirements is sufficient.
More information about the Openid-specs-fapi
mailing list