7.1.2. Use of TLS

7.1.2. Use of TLS

The use of HTTP message signatures does not negate the need for TLS or its equivalent to protect information in transit. Message signatures provide message integrity over the covered message components but do not provide any confidentiality for communication between parties.

TLS provides such confidentiality between the TLS endpoints. As part of this, TLS also protects the signature data itself from being captured by an attacker. This is an important step in preventing signature replay (Section 7.2.2).

When TLS is used, it needs to be deployed according to the recommendations provided in [BCP195].