Skip to main content

Last Call Review of draft-ietf-httpbis-message-signatures-16

Request Review of draft-ietf-httpbis-message-signatures
Requested revision No specific revision (document currently at 19)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2023-02-20
Requested 2023-02-06
Authors Annabelle Backman , Justin Richer , Manu Sporny
I-D last updated 2023-02-14
Completed reviews Secdir Telechat review of -17 by Daniel Migault (diff)
Artart Telechat review of -17 by Harald T. Alvestrand (diff)
Secdir Early review of -05 by Daniel Migault (diff)
Artart Last Call review of -16 by Harald T. Alvestrand (diff)
Opsdir Last Call review of -16 by Bo Wu (diff)
Secdir Last Call review of -16 by Daniel Migault (diff)
Genart Last Call review of -16 by Dan Romascanu (diff)
Assignment Reviewer Dan Romascanu
State Completed
Request Last Call review on draft-ietf-httpbis-message-signatures by General Area Review Team (Gen-ART) Assigned
Posted at
Reviewed revision 16 (document currently at 19)
Result Ready w/nits
Completed 2023-02-14
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at


Document: draft-ietf-httpbis-message-signatures-16
Reviewer: Dan Romascanu
Review Date: 2023-02-14
IETF LC End Date: 2023-02-20
IESG Telechat date: Not scheduled for a telechat


This document defines a mechanism for providing end-to-end integrity and
authenticity for components of an HTTP message. The mechanism allows
applications to create digital signatures or message authentication codes. This
mechanism supports use case where the full HTTP message may not be known to the
signer, and where the message may be transformed before reaching the verifier.
This document also describes a means for requesting that a signature be applied
to a subsequent HTTP message in an ongoing HTTP exchange.

It's a detailed and well-structured document. I appreciated the terminology
section that helped me understand many of the details in the following sections
without much need to go and search in other documents.

Major issues:

Minor issues:

Nits/editorial comments:

1. In Section 1:

>  The term "Unix time" is defined by [POSIX.1], Section 4.16

I am not sure that the URL is necessary, the reference may be sufficient.

2. I am wondering why the issues raised in 'Detecting HTTP Message Signatures'
are pushed into an Appendix. They seem quite important for implementers to be
mentioned in the body of the memo, maybe as a sub-section of the Introduction.