Skip to main content

7. Security Considerations

7. Security Considerations

In order for an HTTP message to be considered covered by a signature, all of the following conditions have to be true:

  • A signature is expected or allowed on the message by the verifier.

  • The signature exists on the message.

  • The signature is verified against the identified key material and algorithm.

  • The key material and algorithm are appropriate for the context of the message.

  • The signature is within expected time boundaries.

  • The signature covers the expected content, including any critical components.

  • The list of covered components is applicable to the context of the message.

In addition to the application requirement definitions listed in Section 1.4, the following security considerations provide discussion and context regarding the requirements of creating and verifying signatures on HTTP messages.

Last updated on