IETF Logo Mail Archive

Defining HTTP signature validation (RFC 9421) as a precondition extension to allow 412 as the response code

DYER Kevin <Kevin.DYER@3ds.com> Wed, 26 November 2025 06:47 UTC

Received: by mail2.ietf.org (Postfix) id 1F86D90D9470; Tue, 25 Nov 2025 22:47:03 -0800 (PST)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1D9EF90D946F for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 25 Nov 2025 22:47:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -5.383
X-Spam-Level:
X-Spam-Status: No, score=-5.383 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="KtY8wIn0"; dkim=pass (2048-bit key) header.d=w3.org header.b="f2W5Jteh"; dkim=pass (2048-bit key) header.d=w3.org header.b="KtY8wIn0"; dkim=pass (2048-bit key) header.d=w3.org header.b="Ez08rue9"; dkim=pass (2048-bit key) header.d=3ds.com header.b="XH05US2j"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMI3jfZ7f5jM for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 25 Nov 2025 22:47:02 -0800 (PST)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AA43590D92C2 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 25 Nov 2025 22:46:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:MIME-Version:Content-Type:Message-ID:Date:To:From:Cc:Reply-To :In-Reply-To:References; bh=WTnB6Vz+m6ZIpGzFPxkht4igcY9GU03drtQwxwUmu6Y=; b=K tY8wIn0KucUzV99ELZGTVwuXoxYtAmZMeD5DZi/Zoesz3p4Tv3eQsxJ97kHYDR0uXV3ZlhfEh66sz yQiKrMY2MLdhmVepVYgGhHbQGkfBv4bgpOXchRBLRdVau4gWPDSATDoVPeXpuHnr/eZw3LjQE6T97 EB0of5cdOhHn1g1TMrn09UPd/LPkWXy228TbrCuM2d2CnWkVVx4BpWfG4HOGsJbMmMiPRz0XUdMS/ YyC7P8TCfJyvaU2P0ji/dKhhfYaGbg3pDiPEoXQwkE99XmrRmEo1Rf6SOVr7Qz2+yXrpB1v2G4aUC iQaGoG5L4DLdbaztVXVUVD4qBcVVt0U7A==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1vO9H0-001flj-2w for ietf-http-wg-dist@listhub.w3.org; Wed, 26 Nov 2025 06:45:06 +0000
Resent-Message-Id: <E1vO9H0-001flj-2w@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1vO9Gw-001fgp-1j for ietf-http-wg@listhub.w3.internal; Wed, 26 Nov 2025 06:45:02 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:MIME-Version:Content-Type:Message-ID:Date:To:From:Cc:Reply-To :In-Reply-To:References; bh=WTnB6Vz+m6ZIpGzFPxkht4igcY9GU03drtQwxwUmu6Y=; t=1764139502; x=1765003502; b=f2W5Jtehxud+4kfGoAcJrfvFeeunxuyvzQKeWO2wwIH9IdX 0D+hYRiI4GqwshOOX17d2QAFMQCnI62ZSkq9MW+yw2zl0ykxLU9O9YEOpBKpwgKMPFvDRiwPYZVZi p4stYa8WRLbt2ta1rYZOt8t9S9N3AeUg78xAmcj+2KqMmbg96TgIpTwNUIiocNRcexgQTy6JqLPic Rxryuj8/liF24PBlvsZ4cwti6JIe5ZRTaQ5jZibvYUlsKRPRgGEbhWDk8f1FRYwvB8tSGunmZgyBK m1e9OQoX2eAraKWQcjygyiW+1x0qF8MmK4JCrCYuhq7DDKB7I22G876CoaWQEnSw==;
Received: from mab.w3.org ([2600:1f18:7d7a:2700:d091:4b25:8566:8113]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1vO9Gw-002Yok-14 for ietf-http-wg@w3.org; Wed, 26 Nov 2025 06:45:02 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:MIME-Version:Content-Type:Message-ID:Date:To:From:Cc:Reply-To :In-Reply-To:References; bh=WTnB6Vz+m6ZIpGzFPxkht4igcY9GU03drtQwxwUmu6Y=; b=K tY8wIn0KucUzV99ELZGTVwuXoxYtAmZMeD5DZi/Zoesz3p4Tv3eQsxJ97kHYDR0uXV3ZlhfEh66sz yQiKrMY2MLdhmVepVYgGhHbQGkfBv4bgpOXchRBLRdVau4gWPDSATDoVPeXpuHnr/eZw3LjQE6T97 EB0of5cdOhHn1g1TMrn09UPd/LPkWXy228TbrCuM2d2CnWkVVx4BpWfG4HOGsJbMmMiPRz0XUdMS/ YyC7P8TCfJyvaU2P0ji/dKhhfYaGbg3pDiPEoXQwkE99XmrRmEo1Rf6SOVr7Qz2+yXrpB1v2G4aUC iQaGoG5L4DLdbaztVXVUVD4qBcVVt0U7A==;
Received: from www-data by mab.w3.org with local (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1vO9Gw-001fgF-0d for ietf-http-wg@w3.org; Wed, 26 Nov 2025 06:45:02 +0000
Resent-From: List moderator <sysbot+mod@w3.org>
Resent-Date: Wed, 26 Nov 2025 06:45:02 +0000
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <Kevin.DYER@3ds.com>) id 1vMTDO-008Wgn-0H for ietf-http-wg@listhub.w3.internal; Fri, 21 Nov 2025 15:38:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=MIME-Version:Content-Type:Message-ID:Date:Subject:To:From:Cc:Reply-To :In-Reply-To:References; bh=WTnB6Vz+m6ZIpGzFPxkht4igcY9GU03drtQwxwUmu6Y=; t=1763739506; x=1764603506; b=Ez08rue9NcJQJTIFWb3c6zw+AUAQUl2Oj83UNjA2Ptf0aEL ZYuFnHZ2G3+o7xtACdgy6wedAuC+a5ygkzVkwqI3RZGmrcpCyvKc1Mt+ombOr+4e0mwVz1OkJhWxl 4rDe1bF9g6XyDQ+oY8LW+Zy4NOB1bBrlisAi0iksED9tp7byHswhqzWap+kxmf80NQPWBUMJwPKK7 xro+5fz6CV577jUmnD94NA0WZ2k/DzFSoxBdRbgVdubX0asiCnfUIAJkt8EH7mfq3thZO65aOI1Ek Zi1w0FOExywqOpOme7JPfO+80Pivrd6D7Jt8FujXh60DyZq0Km0cInoJXomE3+yg==;
Received-SPF: pass (puck.w3.org: domain of 3ds.com designates 205.220.185.186 as permitted sender) client-ip=205.220.185.186; envelope-from=Kevin.DYER@3ds.com; helo=mx08-00752701.pphosted.com;
Received: from mx08-00752701.pphosted.com ([205.220.185.186]) by puck.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <Kevin.DYER@3ds.com>) id 1vMTDN-000okx-0k for ietf-http-wg@w3.org; Fri, 21 Nov 2025 15:38:26 +0000
Received: from pps.filterd (m0297194.ppops.net [127.0.0.1]) by mx08-00752701.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5ALFIdhW028347 for <ietf-http-wg@w3.org>; Fri, 21 Nov 2025 16:38:21 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=3ds.com; h= content-type:date:from:message-id:mime-version:subject:to; s= ppselector1; bh=WTnB6Vz+m6ZIpGzFPxkht4igcY9GU03drtQwxwUmu6Y=; b= XH05US2jNZvGDqn/tL9Tobd0czZIeGHa0jTHFrYGqqd9+Xjob4xKZ0pG7gYBFp4r 80XL8//8cYixC88PygEcf3PL8y2TQXbW12CTx0hHc8zBrGdIVc7gqOwVV+uCcqfh gULs7kOsSdPnwqB0h5IFEplmO8q2tBU+FN2ex66YwJ+i0SOAq1ZeTbJ01ucoSqTm k5gsC1s6Yd3L9/H4NKAXL8OpaTBBE95MZSRrlSEoraOQjuSbSeZ3aZEJ5gqimNr0 lk7D5buaCl/C15UGIU/XPtpVMTCTTvAxxrSL4CCEXDFJ0ry+Ucy8LenMIB1ngm8f IXugR3W4bBWKlISqahn8jg==
Received: from 3ds-ag-mxg-smtp-out.3ds.com (3ds-ag-mxg-smtp-out.3ds.com [69.147.173.119] (may be forged)) by mx08-00752701.pphosted.com (PPS) with ESMTPS id 4aj6vc3ptw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-http-wg@w3.org>; Fri, 21 Nov 2025 16:38:20 +0100 (CET)
Received: from AG-MXG-ESMBX09.dsone.3ds.com (10.6.51.109) by AG-MXG-ESMBX11.dsone.3ds.com (10.6.51.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Fri, 21 Nov 2025 15:38:18 +0000
Received: from AG-MXG-ESMBX09.dsone.3ds.com ([fe80::a26:4e70:1e20:1b75]) by AG-MXG-ESMBX09.dsone.3ds.com ([fe80::a26:4e70:1e20:1b75%7]) with mapi id 15.02.2562.029; Fri, 21 Nov 2025 15:38:18 +0000
From: DYER Kevin <Kevin.DYER@3ds.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Defining HTTP signature validation (RFC 9421) as a precondition extension to allow 412 as the response code
Thread-Index: Adxa+3jx3JSoadmJQZWPZhzNfdYywg==
Date: Fri, 21 Nov 2025 15:38:18 +0000
Message-ID: <d37b2679895f469fabf023f6b5d443d8@3ds.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.6.19.81]
Content-Type: multipart/alternative; boundary="_000_d37b2679895f469fabf023f6b5d443d83dscom_"
MIME-Version: 1.0
X-Authority-Analysis: v=2.4 cv=TKpIilla c=1 sm=1 tr=0 ts=6920876c cx=c_pps a=bUitWUAD4V9RnVM6yApM8g==:117 a=bUitWUAD4V9RnVM6yApM8g==:17 a=CRP1y9Wllih0M1G7:21 a=xqWC_Br6kY4A:10 a=ypNtWboPRSMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=D8cHR3BMAAAA:8 a=oUJq27L9YqDBu5EUsIIA:9 a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=lIZXY2_pDUpunXCNWaUA:9 a=MczucLhPCMLzP4DM:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=yfS8TdcOTwENwjLiUJ2p:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTIwMDExMyBTYWx0ZWRfX7gCahYv0A8sr ieISLg1l6Z+opkBvIrw2xQheH+SdUeiBri63h5Ce3dZsRRoahRP+Ne+Nl4n+eUm1PTi/OkhgAhF QheFuw23guRVECn6gMXX12tOn0fqwB9HkM+hKGOX1aTIzKVqM0gkb9VnRpwcYaUv+Ajq0IjduZ7 KQpymD3Wf2rjTjkP3LuTFvGvSyddtnCeU+5lJCbUuyAWE6a5iLL8hmD7fGSsjUqfl67n3k2+xxU O1KXr2qv2BaVxxgCF9DA9hslmS/byCzJRxBqejWDCx+z4kzeh4mylEOHjOHZnTe7olast+tCfp6 Jzdq1PomXzXISRqPwOcYZ2btXjgF4qqE1LMca50xCMn7jVvkDga0cB2cXSFrmoQVofx63AtSgZ3 8hXB8usAwhvqcvkAxqedsBNh9LmnXA==
X-Proofpoint-ORIG-GUID: nbqODnDk0MFEm8uSvCjUFT66jf3r8cpN
X-Proofpoint-GUID: nbqODnDk0MFEm8uSvCjUFT66jf3r8cpN
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-21_04,2025-11-21_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 clxscore=1011 suspectscore=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2511200113
X-W3C-Hub-DKIM-Status: validation passed: (address=Kevin.DYER@3ds.com domain=3ds.com), signature is good
X-W3C-Hub-Spam-Status: No, score=0.9
X-W3C-Hub-Spam-Report: BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: puck.w3.org 1vMTDN-000okx-0k 7446f106ecfd7fb1a5fdc732dda22661
X-caa-id: f00f74a125
X-Original-To: ietf-http-wg@w3.org
Subject: Defining HTTP signature validation (RFC 9421) as a precondition extension to allow 412 as the response code
Archived-At: <https://www.w3.org/mid/d37b2679895f469fabf023f6b5d443d8@3ds.com>
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/53570
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hello All,

I am working with a team that is looking to implement HTTP Message signatures and validation within our products. I have not read the entire history of how this specification evolved over time and therefore do not know if this topic was previously discussed. If it was and not acted upon, I apologize up front.

After reviewing the RFC I find the error reporting recommendations for using a status code of 401 is not in-line with [HTTP] RFC 9110 Section 15.5.2 401 Unauthorized. Additionally, the status code 403 does not make sense when requests have been made with credentials being exchanged. The 403 response can be interpreted by intermediary network components, as in ZTNA or identity-aware proxies, as an indicator by the origin/target server to cease all access to this session. If not the network components then the application itself may take action when a 403 is the status response and perform an absolute session termination (SLO).

My interpretation of RFC 9421 has me regarding signature validation as a higher class of preconditions to the HTTP message, much the same as If-Modified-Since, If-Match, etc. But these preconditions are applied before further processing the HTTP message and after any TLS preconditions have been met (SERVER HELLO Certificate Validation, SNI, mTLS, ALPN, etc).  In the Tomcat world this could be implemented at a valve level, to be executed before a single nibble of application code is run.

Prereq:  the server or client has been configured with a valve/filter/servlet/JavaScript function to recognize and operate on all signature components.

If the signature validation is indeed a super class of preconditions that must be validated. And when the signature components are found within the header section of the HTTP message then doesn’t it make sense to use the 412 Precondition Failed as the primary status response from signature validation failure or exception? The 412 response per [HTTP] allows for as much or as little details as necessary in the response body to provide information to the end user.

Best Regards,

Kevin J. Dyer
AMERICAS User Success Engineering Director, Infrastructure and Security
kevin.dyer@3ds.com

Next OOO –
------------------------------------------------------------------------------------------------------------------------------------
Office:      +1 781 810 3582
Mobile:    +1 978 549 0971

Dassault Systèmes | www.3ds.com | The 3DEXPERIENCE
Dassault Systèmes | 175 Wyman St |Waltham, MA  02451-1223 | United States


This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/

v2.46.0 | Report a Bug | By Email | System Status