RFC 9421 - HTTP Message Signatures

Published: February 2024
Status: Standards Track
Authors: A. Backman (Ed.), J. Richer (Ed.), M. Sporny
Info: https://www.rfc-editor.org/info/rfc9421

---

Abstract

This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange.

---

Contents

• 1. Introduction
  • 1.1. Conventions and Terminology
  • 1.2. Requirements
  • 1.3. HTTP Message Transformations
  • 1.4. Application of HTTP Message Signatures
• 2. HTTP Message Components
  • 2.1. HTTP Fields
    • 2.1.1. Strict Serialization of HTTP Structured Fields
    • 2.1.2. Dictionary Structured Field Members
    • 2.1.3. Binary-Wrapped HTTP Fields
    • 2.1.4. Trailer Fields
  • 2.2. Derived Components
    • 2.2.1. Method
    • 2.2.2. Target URI
    • 2.2.3. Authority
    • 2.2.4. Scheme
    • 2.2.5. Request Target
    • 2.2.6. Path
    • 2.2.7. Query
    • 2.2.8. Query Parameters
    • 2.2.9. Status Code
  • 2.3. Signature Parameters
  • 2.4. Signing Request Components in a Response Message
  • 2.5. Creating the Signature Base
• 3. HTTP Message Signatures
  • 3.1. Creating a Signature
  • 3.2. Verifying a Signature
    • 3.2.1. Enforcing Application Requirements
  • 3.3. Signature Algorithms
    • 3.3.1. RSASSA-PSS Using SHA-512
    • 3.3.2. RSASSA-PKCS1-v1_5 Using SHA-256
    • 3.3.3. HMAC Using SHA-256
    • 3.3.4. ECDSA Using Curve P-256 DSS and SHA-256
    • 3.3.5. ECDSA Using Curve P-384 DSS and SHA-384
    • 3.3.6. EdDSA Using Curve edwards25519
    • 3.3.7. JSON Web Signature (JWS) Algorithms
• 4. Including a Message Signature in a Message
  • 4.1. The Signature-Input HTTP Field
  • 4.2. The Signature HTTP Field
  • 4.3. Multiple Signatures
• 5. Requesting Signatures
  • 5.1. The Accept-Signature Field
  • 5.2. Processing an Accept-Signature
• 6. IANA Considerations
  • 6.1. HTTP Field Name Registration
  • 6.2. HTTP Signature Algorithms Registry
    • 6.2.1. Registration Template
    • 6.2.2. Initial Contents
  • 6.3. HTTP Signature Metadata Parameters Registry
    • 6.3.1. Registration Template
    • 6.3.2. Initial Contents
  • 6.4. HTTP Signature Derived Component Names Registry
    • 6.4.1. Registration Template
    • 6.4.2. Initial Contents
  • 6.5. HTTP Signature Component Parameters Registry
    • 6.5.1. Registration Template
    • 6.5.2. Initial Contents
• 7. Security Considerations
  • 7.1. General Considerations
    • 7.1.1. Skipping Signature Verification
    • 7.1.2. Use of TLS
  • 7.2. Message Processing and Selection
    • 7.2.1. Insufficient Coverage
    • 7.2.2. Signature Replay
    • 7.2.3. Choosing Message Components
    • 7.2.4. Choosing Signature Parameters and Derived Components over HTTP Fields
    • 7.2.5. Signature Labels
    • 7.2.6. Multiple Signature Confusion
    • 7.2.7. Collision of Application-Specific Signature Tag
    • 7.2.8. Message Content
  • 7.3. Cryptographic Considerations
    • 7.3.1. Cryptography and Signature Collision
    • 7.3.2. Key Theft
    • 7.3.3. Symmetric Cryptography
    • 7.3.4. Key Specification Mixup
    • 7.3.5. Non-deterministic Signature Primitives
    • 7.3.6. Key and Algorithm Specification Downgrades
    • 7.3.7. Signing Signature Values
  • 7.4. Matching Signature Parameters to the Target Message
    • 7.4.1. Modification of Required Message Parameters
    • 7.4.2. Matching Values of Covered Components to Values in the Target Message
    • 7.4.3. Message Component Source and Context
    • 7.4.4. Multiple Message Component Contexts
  • 7.5. HTTP Processing
    • 7.5.1. Processing Invalid HTTP Field Names as Derived Component Names
    • 7.5.2. Semantically Equivalent Field Values
    • 7.5.3. Parsing Structured Field Values
    • 7.5.4. HTTP Versions and Component Ambiguity
    • 7.5.5. Canonicalization Attacks
    • 7.5.6. Non-List Field Values
    • 7.5.7. Padding Attacks with Multiple Field Values
    • 7.5.8. Ambiguous Handling of Query Elements
• 8. Privacy Considerations
  • 8.1. Identification through Keys
  • 8.2. Signatures do not provide confidentiality
  • 8.3. Oracles
  • 8.4. Required Content
• 9. References
  • 9.1. Normative References
  • 9.2. Informative References
• Appendix A. Detecting HTTP Message Signatures
• Appendix B. Examples
  • B.1. Example Keys
    • B.1.1. Example RSA Key
    • B.1.2. Example RSA-PSS Key
    • B.1.3. Example ECC P-256 Test Key
    • B.1.4. Example Ed25519 Test Key
    • B.1.5. Example Shared Secret
  • B.2. Test Cases
    • B.2.1. Minimal Signature Using rsa-pss-sha512
    • B.2.2. Selective Covered Components Using rsa-pss-sha512
    • B.2.3. Full Coverage Using rsa-pss-sha512
    • B.2.4. Signing a Response Using ecdsa-p256-sha256
    • B.2.5. Signing a Request Using hmac-sha256
    • B.2.6. Signing a Request Using ed25519
  • B.3. TLS-Terminating Proxies
  • B.4. HTTP Message Transformations
• Acknowledgements
• Authors' Addresses