1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Multiple HTTP message signatures in a single HTTP message

Issue #714 new
Takahiko Kawasaki created an issue

An HTTP message can contain multiple HTTP message signatures. Does Section 5.6, “HTTP message signing” of the “FAPI 2.0 Message Signing” specification, require all HTTP message signatures to meet the FAPI 2.0 requirements? Or is it sufficient for an HTTP message to include at least one HTTP message signature that satisfies the FAPI 2.0 requirements?

Requiring all HTTP message signatures to comply with the FAPI 2.0 requirements could make it difficult for application-specific HTTP message signatures to coexist with the FAPI 2.0 Message Signing specification. Therefore, my sense is that the specification should not mandate that all HTTP message signatures meet these requirements, and the specification should explicitly state that a single HTTP message signature meeting the requirements is sufficient.

Comments (5)

  1. Takahiko Kawasaki reporter

    In fact, I noticed that some code attempting to support FAPI 2.0 Message Signing requires all HTTP message signatures to meet the FAPI 2.0 requirements, which I believe is inappropriate. To prevent such implementations, the specification should address cases where an HTTP message contains multiple signatures.

  2. Takahiko Kawasaki reporter

    In addition to adding a statement to the effect that "it is sufficient if at least one of the signatures meets the FAPI requirements," it would be better to add another statement to the effect that "however, once the tag value is fapi-2-request or fapi-2-response, that signature must meet the FAPI requirements."

    For example, imagine a resource request contains two signatures, both with the tag value fapi-2-request. Let's say the first signature fully meets the FAPI requirements, while the second signature does not, as it lacks the created tag, meaning it doesn't meet the FAPI requirements. If the rule only states that "as long as at least one of the signatures meets the FAPI requirements, it is acceptable," this resource request would be accepted. However, if the rule states that "once the tag value is fapi-2-request or fapi-2-response, the signature must meet the FAPI requirements," then this resource request would be rejected.

    My intention is that any signature that appears to be intended for FAPI (i.e., any signature that declares itself as such by having the FAPI-specific tag) should, by itself, be valid as a FAPI-compliant signature.

  6. Log in to comment
Assignee
Type
proposal
Priority
major
Status
new
Component
HTTP Signing
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!