This document describes a mechanism for creating, encoding, and
verifying digital signatures or message authentication codes over
components of an HTTP message. This mechanism supports use cases
where the full HTTP message may not be known to the signer, and where
the message may be transformed (e.g., by intermediaries) before
reaching the verifier. This document also describes a means for
requesting that a signature be applied to a subsequent HTTP message
in an ongoing HTTP exchange.
Working Group Summary
At IETF 114, there was concern raised (by Chris Wood) that there should be more formal
analysis performed, akin to the process normally used in CFRG. This document was then
presented at IETF 115 in SAAG for broad discussion of formal analysis as well as to
get specific feedback on this document. The sense of that room was that formal
analysis was not a gating factor that is present for security documents, and the comments
about this document were positive. Separately, an academic formal analysis is ongoing,
but the chairs have decided to progress this document to the IETF and IESG in parallel
with that work.
This document spent a couple years in the working group, and got feedback from many
contributors, both from people specifically interested in signatures, as well as
the people involved in generic HTTP. It received quite careful review and the shepherd senses
it has broad agreement. The WGLC didn't receive many specific email responses, but
there was sufficient discussion on GitHub and in the meeting to confirm consensus.
There are many implementations of earlier versions of signatures, and this version
has also received implementation and interop testing, which has been discussed and presented
to the working group. (Note that this is not documented in the document itself.)
This document mainly overlaps with security area. It received an early SecDir
review last year, as well as extra reviews in the past month by security area
reviewers (such as Kyle Rose).
Document Shepherd: Tommy Pauly
Responsible Area Director: Paul Wouters stepping in for Francesca Palombini