menu di navigazione del network

Non-Repudiation and RSA considered legacy


(Roberto Polli) #1

There are currently two RFC drafts for sending signed HTTP requests or replies - both containing the Signature andDigest headers:

  • 1 draft-cavage with a minimal approach and anterior to the new specifications of http RFC723x
  • 2 signed-exchanges was born within the Web Incubator Community Group and has a more modern and radical approach , with an eye to HTTP2 and TLS1.3.

Let’s see some distinctive points.

draft-cavage:

signed-exchanges:

  • oriented to the response and distribution of content signed by third parties
  • developed mostly by Google, will be implemented in Chrome
  • supports multiple authority signatures
  • mutual security strategies from TLS1.3 and other specifications
  • uses the new draft of the HTTP working group Structured Headers that allows to specify binary data and strings delimiting with * data encoded in base64

` Example-DictHeader: en = "Applepie", from = * w4ZibGV0w6ZydGUK = * `

We are discussing these specifications in workgroups so that:

1- become a basis for implementing non-repudiable exchanges;
2- find a summary on the Signature header;
3- improve draft-cavage security eg # 35 and # 36

A somewhat related draft is Encrypted Content-Coding.

To contribute to the discussion you can see the tickets of the two specifications here:

and / or contact me here or @ioggstream on twitter and github.