Menu
I want to sign the payload of HTTP Requests and Responses. The signature should reside in the header. The signing mechanism should not require any change in existing payload structure.
The main use case is non-repudiation.
There are many custom ways of doing it but I am looking for a standard.
If possible there should be support for signature verification without having to manually seed each application with other applications' public keys (the way Public Key Infrastructure it works with SSL certs)
Is there an existing standard that does this?
542
Yes, there is an IETF draft for signing HTTP.
https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/
To the question about PKI, you can do certificate distribution in the signed headers so if you do have a root of trust for the keys you don't need to copy the individual public keys around.
106
answered Jun 06 '26 06:06
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
