Error codes for HTTP Message Signatures-related errors

It may be worth considering defining new error codes for HTTP message signature verification errors.

RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) has defined invalid_dpop_proof and use_dpop_nonce error codes for DPoP-related errors. Similarly, OAuth-aware applications using HTTP Message Signatures may want dedicated error codes for HTTP Message Signatures-related errors. For example, invalid_http_message_signature.

Without such dedicated error codes, the userinfo endpoint implementation I’m working on will eventually return invalid_request for HTTP message signature verification errors, as there doesn’t seem to be any more appropriate error code among the currently available ones.