<div dir="ltr">For a little more context, this <a href="https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0063.html">https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0063.html</a> is the start of the thread on the topic that's being alluded to. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 9, 2023 at 1:12 AM Anders Rundgren via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">When reading the exchanges on this topic, I've become even more convinced that signature schemes based on HTTP headers may not be for everybody.  An alternative design pattern using CBOR + deterministic serialization:<br>
<br>
Request body:<br>
{<br>
   request data...,<br>
   enveloped request signature<br>
}<br>
<br>
Response body:<br>
{<br>
   response data...,<br>
   // counter-signed request object<br>
   request: {<br>
     request data...<br>
     enveloped request signature<br>
   },<br>
   enveloped response signature<br>
}<br>
<br>
Request data would typically include URI (and optionally method) but that would be it.<br>
<br>
For those who consider faithfulness to IETF standards as paramount, using COSE/JOSE and associated libraries would work right out of the box, albeit at a loss of readability.<br>
<br>
The ability to serialize requests is an important part of the plot.<br>
<br>
Anders<br>
<a href="https://github.com/cyberphone/cbor-everywhere" rel="noreferrer" target="_blank">https://github.com/cyberphone/cbor-everywhere</a><br>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div>

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>