Question
This spec defines three headers — Signature-Key, Signature-Requirement, and Signature-Error — but does not define a baseline HTTP Message Signatures profile (minimum covered components, timestamp requirements, verification steps). Currently, every protocol using these headers must independently profile how signatures are constructed and verified. AAuth does this in its protocol spec.
Options
-
No baseline profile — each protocol profiles independently. Signature-Requirement's required_input parameter enables runtime discovery of the server's requirements, reducing the need for a predefined profile.
-
Define a recommended baseline — specify a minimum set of covered components (e.g., @method, @authority, @path, signature-key), require the created parameter, and provide basic verification steps. Protocols can extend but not reduce this baseline.
-
Define the baseline as a separate document — keep this spec focused on the headers and publish a companion "HTTP Message Signatures Baseline Profile" spec.
Context
Without a baseline, two independent implementations of Signature-Requirement may not interoperate unless they agree on a profile out of band. The required_input parameter in Signature-Requirement partially addresses this by allowing runtime negotiation, but doesn't cover verification-side requirements (e.g., timestamp validation, replay protection).
Question
This spec defines three headers — Signature-Key, Signature-Requirement, and Signature-Error — but does not define a baseline HTTP Message Signatures profile (minimum covered components, timestamp requirements, verification steps). Currently, every protocol using these headers must independently profile how signatures are constructed and verified. AAuth does this in its protocol spec.
Options
No baseline profile — each protocol profiles independently. Signature-Requirement's
required_inputparameter enables runtime discovery of the server's requirements, reducing the need for a predefined profile.Define a recommended baseline — specify a minimum set of covered components (e.g.,
@method,@authority,@path,signature-key), require thecreatedparameter, and provide basic verification steps. Protocols can extend but not reduce this baseline.Define the baseline as a separate document — keep this spec focused on the headers and publish a companion "HTTP Message Signatures Baseline Profile" spec.
Context
Without a baseline, two independent implementations of Signature-Requirement may not interoperate unless they agree on a profile out of band. The
required_inputparameter in Signature-Requirement partially addresses this by allowing runtime negotiation, but doesn't cover verification-side requirements (e.g., timestamp validation, replay protection).