I want to sign the payload of HTTP Requests and Responses. The signature should reside in the header. The signing mechanism should not require any change in existing payload structure.
The main use case is non-repudiation.
There are many custom ways of doing it but I am looking for a standard.
If possible there should be support for signature verification without having to manually seed each application with other applications' public keys (the way Public Key Infrastructure it works with SSL certs)
Is there an existing standard that does this?
CodePudding user response:
Yes, there is an IETF draft for signing HTTP.
https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/
To the question about PKI, you can do certificate distribution in the signed headers so if you do have a root of trust for the keys you don't need to copy the individual public keys around.