2.4. Signing Request Components in a Response Message

2.4. Signing Request Components in a Response Message

When a request message results in a signed response message, the signer can include portions of the request message in the signature base by adding the req parameter to the component identifier.

req A Boolean flag indicating that the component value is derived from the request that triggered this response message and not from the response message directly.

This parameter can be applied to both HTTP fields and derived components that target the request, with the same semantics. The component value for a message component using this parameter is calculated in the same manner as it is normally, but data is pulled from the request message instead of the target response message to which the signature is applied.

Note that the same component name MAY be included with and without the req parameter in a single signature base, indicating the same named component from both the request message and the response message.

The req parameter MAY be combined with other parameters as appropriate for the component identifier, such as the key parameter for a Dictionary field.

For example, when serving a response for this request:

NOTE: '' line wrapping per RFC 8792

POST /foo?param=Value&Pet=dog HTTP/1.1 Host: example.com Date: Tue, 20 Apr 2021 02:07:55 GMT Content-Digest: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+T
aPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==: Content-Type: application/json Content-Length: 18

{"hello": "world"}

This would result in the following unsigned response message:

NOTE: '' line wrapping per RFC 8792

HTTP/1.1 503 Service Unavailable Date: Tue, 20 Apr 2021 02:07:56 GMT Content-Type: application/json Content-Length: 62 Content-Digest: sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObfwn
HJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==:

{"busy": true, "message": "Your call is very important to us"}

The server signs the response with its own key, including the @status code and several header fields in the covered components. While this covers a reasonable amount of the response for this application, the server additionally includes several components derived from the original request message that triggered this response. In this example, the server includes the method, authority, path, and content digest from the request in the covered components of the response. The Content-Digest for both the request and the response is included under the response signature. For the application in this example, the query is deemed not to be relevant to the response and is therefore not covered. Other applications would make different decisions based on application needs, as discussed in Section 1.4.

The signature base for this example is:

NOTE: '' line wrapping per RFC 8792

"@status": 503 "content-digest": sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObf
wnHJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==: "content-type": application/json "@authority";req: example.com "@method";req: POST "@path";req: /foo "content-digest";req: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A
2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==: "@signature-params": ("@status" "content-digest" "content-type"
"@authority";req "@method";req "@path";req "content-digest";req)
;created=1618884479;keyid="test-key-ecc-p256"

The signed response message is:

NOTE: '' line wrapping per RFC 8792

HTTP/1.1 503 Service Unavailable Date: Tue, 20 Apr 2021 02:07:56 GMT Content-Type: application/json Content-Length: 62 Content-Digest: sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObfwn
HJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==: Signature-Input: reqres=("@status" "content-digest" "content-type"
"@authority";req "@method";req "@path";req "content-digest";req)
;created=1618884479;keyid="test-key-ecc-p256" Signature: reqres=:dMT/A/76ehrdBTD/2Xx8QuKV6FoyzEP/I9hdzKN8LQJLNgzU
4W767HK05rx1i8meNQQgQPgQp8wq2ive3tV5Ag==:

{"busy": true, "message": "Your call is very important to us"}

Note that the ECDSA signature algorithm in use here is non- deterministic, meaning that a different signature value will be created every time the algorithm is run. The signature value provided here can be validated against the given keys, but newly generated signature values are not expected to match the example. See Section 7.3.5.

Since the component values from the request are not repeated in the response message, the requester MUST keep the original message component values around long enough to validate the signature of the response that uses this component identifier parameter. In most cases, this means the requester needs to keep the original request message around, since the signer could choose to include any portions of the request in its response, according to the needs of the application. Since it is possible for an intermediary to alter a request message before it is processed by the server, applications need to take care not to sign such altered values, as the client would not be able to validate the resulting signature.

It is also possible for a server to create a signed response in response to a signed request. For this example of a signed request:

NOTE: '' line wrapping per RFC 8792

POST /foo?param=Value&Pet=dog HTTP/1.1 Host: example.com Date: Tue, 20 Apr 2021 02:07:55 GMT Content-Digest: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+T
aPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==: Content-Type: application/json Content-Length: 18 Signature-Input: sig1=("@method" "@authority" "@path" "@query"
"content-digest" "content-type" "content-length")
;created=1618884475;keyid="test-key-rsa-pss" Signature: sig1=:e8UJ5wMiRaonlth5ERtE8GIiEH7Akcr493nQ07VPNo6y3qvjdK
t0fo8VHO8xXDjmtYoatGYBGJVlMfIp06eVMEyNW2I4vN7XDAz7m5v1108vGzaDljr
d0H8+SJ28g7bzn6h2xeL/8q+qUwahWA/JmC8aOC9iVnwbOKCc0WSrLgWQwTY6VLp4
2Qt7jjhYT5W7/wCvfK9A1VmHH1lJXsV873Z6hpxesd50PSmO+xaNeYvDLvVdZlhtw
5PCtUYzKjHqwmaQ6DEuM8udRjYsoNqp2xZKcuCO1nKc0V3RjpqMZLuuyVbHDAbCzr
0pg2d2VM/OC33JAU7meEjjaNz+d7LWPg==:

{"hello": "world"}

The server could choose to sign portions of this response, including several portions of the request, resulting in this signature base:

NOTE: '' line wrapping per RFC 8792

"@status": 503 "content-digest": sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObf
wnHJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==: "content-type": application/json "@authority";req: example.com "@method";req: POST "@path";req: /foo "@query";req: ?param=Value&Pet=dog "content-digest";req: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A
2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==: "content-type";req: application/json "content-length";req: 18 "@signature-params": ("@status" "content-digest" "content-type"
"@authority";req "@method";req "@path";req "@query";req
"content-digest";req "content-type";req "content-length";req)
;created=1618884479;keyid="test-key-ecc-p256"

and the following signed response:

NOTE: '' line wrapping per RFC 8792

HTTP/1.1 503 Service Unavailable Date: Tue, 20 Apr 2021 02:07:56 GMT Content-Type: application/json Content-Length: 62 Content-Digest: sha-512=:0Y6iCBzGg5rZtoXS95Ijz03mslf6KAMCloESHObfwn
HJDbkkWWQz6PhhU9kxsTbARtY2PTBOzq24uJFpHsMuAg==: Signature-Input: reqres=("@status" "content-digest" "content-type"
"@authority";req "@method";req "@path";req "@query";req
"content-digest";req "content-type";req "content-length";req)
;created=1618884479;keyid="test-key-ecc-p256" Signature: reqres=:C73J41GVKc+TYXbSobvZf0CmNcptRiWN+NY1Or0A36ISg6ym
dRN6ZgR2QfrtopFNzqAyv+CeWrMsNbcV2Ojsgg==:

{"busy": true, "message": "Your call is very important to us"}

Note that the ECDSA signature algorithm in use here is non- deterministic, meaning that a different signature value will be created every time the algorithm is run. The signature value provided here can be validated against the given keys, but newly generated signature values are not expected to match the example. See Section 7.3.5.

Applications signing a response to a signed request SHOULD sign all of the components of the request signature value to provide sufficient coverage and protection against a class of collision attacks, as discussed in Section 7.3.7. The server in this example has included all components listed in the Signature-Input field of the client's signature on the request in the response signature, in addition to components of the response.

While it is syntactically possible to include the Signature and Signature-Input fields of the request message in the signature components of a response to a message using this mechanism, this practice is NOT RECOMMENDED. This is because signatures of signatures do not provide transitive coverage of covered components as one might expect, and the practice is susceptible to several attacks as discussed in Section 7.3.7. An application that needs to signal successful processing or receipt of a signature would need to carefully specify alternative mechanisms for sending such a signal securely.

The response signature can only ever cover what is included in the request message when using this flag. Consequently, if an application needs to include the message content of the request under the signature of its response, the client needs to include a means for covering that content, such as a Content-Digest field. See the discussion in Section 7.2.8 for more information.

The req parameter MUST NOT be used for any component in a signature that targets a request message.