Skip to main content

HTTP Message Signatures

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: The IESG <>,,,,,,
Subject: Protocol Action: 'HTTP Message Signatures' to Proposed Standard (draft-ietf-httpbis-message-signatures-19.txt)

The IESG has approved the following document:
- 'HTTP Message Signatures'
  (draft-ietf-httpbis-message-signatures-19.txt) as Proposed Standard

This document is the product of the HTTP Working Group.

The IESG contact persons are Murray Kucherawy, Paul Wouters and Francesca

A URL of this Internet-Draft is:

Ballot Text

Technical Summary

   This document describes a mechanism for creating, encoding, and
   verifying digital signatures or message authentication codes over
   components of an HTTP message.  This mechanism supports use cases
   where the full HTTP message may not be known to the signer, and where
   the message may be transformed (e.g., by intermediaries) before
   reaching the verifier.  This document also describes a means for
   requesting that a signature be applied to a subsequent HTTP message
   in an ongoing HTTP exchange.

Working Group Summary

At IETF 114, there was concern raised (by Chris Wood) that there should be more formal
analysis performed, akin to the process normally used in CFRG. This document was then
presented at IETF 115 in SAAG for broad discussion of formal analysis as well as to
get specific feedback on this document. The sense of that room was that formal
analysis was not a gating factor that is present for security documents, and the comments
about this document were positive. Separately, an academic formal analysis is ongoing,
but the chairs have decided to progress this document to the IETF and IESG in parallel
with that work.

Document Quality

This document spent a couple years in the working group, and got feedback from many
contributors, both from people specifically interested in signatures, as well as
the people involved in generic HTTP. It received quite careful review and the shepherd senses
it has broad agreement. The WGLC didn't receive many specific email responses, but
there was sufficient discussion on GitHub and in the meeting to confirm consensus.

There are many implementations of earlier versions of signatures, and this version
has also received implementation and interop testing, which has been discussed and presented
to the working group. (Note that this is not documented in the document itself.)

This document mainly overlaps with security area. It received an early SecDir
review last year, as well as extra reviews in the past month by security area
reviewers (such as Kyle Rose).


   Document Shepherd: Tommy Pauly
   Responsible Area Director: Paul Wouters stepping in for Francesca Palombini

RFC Editor Note