There are currently two RFC drafts for sending signed HTTP requests or replies - both containing the
- 1 draft-cavage with a minimal approach and anterior to the new specifications of http RFC723x
- 2 signed-exchanges was born within the Web Incubator Community Group and has a more modern and radical approach , with an eye to HTTP2 and TLS1.3.
Let’s see some distinctive points.
- oriented to generic exchanges over HTTP
- presents imho some security gaps
- supports RSA
- is a candidate for use in some banking APIs (stet.fr, berlin-group.org)
- oriented to the response and distribution of content signed by third parties
- developed mostly by Google, will be implemented in Chrome
- supports multiple authority signatures
- mutual security strategies from TLS1.3 and other specifications
- uses the new draft of the HTTP working group Structured Headers that allows to specify binary data and strings delimiting with
*data encoded in base64
` Example-DictHeader: en = "Applepie", from = * w4ZibGV0w6ZydGUK = * `
We are discussing these specifications in workgroups so that:
A somewhat related draft is Encrypted Content-Coding.
To contribute to the discussion you can see the tickets of the two specifications here:
and / or contact me here or @ioggstream on twitter and github.