PEM feedback on draft-ietf-httpbis-message-signatures-13

Henry Story <> Sun, 06 November 2022 10:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4351DC14F74C for <>; Sun, 6 Nov 2022 02:55:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.062
X-Spam-Status: No, score=-5.062 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iY1Dp2AWcnam for <>; Sun, 6 Nov 2022 02:55:12 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 5E075C14CF06 for <>; Sun, 6 Nov 2022 02:55:11 -0800 (PST)
Received: from lists by with local (Exim 4.94.2) (envelope-from <>) id 1ord6J-002PQC-9m for; Sun, 06 Nov 2022 10:42:03 +0000
Resent-Date: Sun, 06 Nov 2022 10:42:03 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1ord6I-002PIR-C7 for; Sun, 06 Nov 2022 10:42:02 +0000
Received: from ([2a00:1450:4864:20::536]) by with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <>) id 1ord6C-007DvL-Fh for; Sun, 06 Nov 2022 10:42:01 +0000
Received: by with SMTP id u24so13421065edd.13 for <>; Sun, 06 Nov 2022 02:41:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=to:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=3cYUfeBb8BR0kJE2I4jlu+afoUxaNx5nIuzXxzOK6iU=; b=KfHnBknS6AHv4Rki0QWULepkaYBFE/qMFQHZQaqgAYR0zeFNPUMMZFAiFB2s1uXmJC SgZL0PzwtmGd0c7kmI+02zMrCc2UGKQPEE7C9R7f2RFFU2J62a8LzzhB14JaY1w35a1x dLvPBiikSNjmvtAm47Mh+298q5I17n/ir+TauGm4IOU/VfkpVa/erm+7sMfXaL4TrAr9 CywrJIL7ocWBJ+wSSMD8gRDX1s5S9eOYZAOhKCfkeaamU+VHcpzbkBa12lg2ianrSWf2 1lAbZmpQ5hz7daWAOdyt6AJ6jLbTDwxeXNkEj92UO9hCUPenqj6wC9z7mynJFnY6zeRh Z7kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=to:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3cYUfeBb8BR0kJE2I4jlu+afoUxaNx5nIuzXxzOK6iU=; b=yEO/QwCaCmHhUnFD1dMoPBneAim2cd0x3FEJNMDZ0ky0KqwTROu/WoXi78uYfu3FgH Jr42WgxBGEL2QFwiZvxMLH1oyMFRQdgTGbuRem0toY4s2ehk+W4znQmTxiO1pEP2mbFD 8qhXkkubE9pOgAYrGvY2SunZyAVbfrdFzIQM4JkXYTw1yHT/rYGaSDivAhDZsKfQaPSn wihrZv91OOa4OGGZ19oBVAjZVYAYF9eCeyQXIoVmggkVx3LeVAstJPZ43meXlGJTZiCu hIJKAbJIteHE31O4HGyT29zX0uHI+trOtAiB+BRDe/MSbzxJOhDbYVm3adZ/dIy9vJPm XIMg==
X-Gm-Message-State: ACrzQf0rGcKgmPgB0F6tKiZ9vg84ebywck0eBr57b8E5a3xbfYt8ALzB xiO+e7FJqbLkL5sLfeDeTUAiuP6MnFjQKQ==
X-Google-Smtp-Source: AMsMyM6pm1BBodhvPFEzwZ6DzWSpKCMVOpjEsqD64udQNFrIVNeKD9XxAvhQN4Bfz6X329Te4Rw9RA==
X-Received: by 2002:a50:ff13:0:b0:43e:76d3:63e1 with SMTP id a19-20020a50ff13000000b0043e76d363e1mr43658678edu.271.1667731304896; Sun, 06 Nov 2022 02:41:44 -0800 (PST)
Received: from ( [2003:cf:1709:5600:f809:e7ef:a6ae:e650]) by with ESMTPSA id e17-20020a50fb91000000b0045bd14e241csm2463045edq.76.2022. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Nov 2022 02:41:44 -0800 (PST)
From: Henry Story <>
Content-Type: multipart/signed; boundary="Apple-Mail=_1E4F41E7-C831-498C-9DB2-042EBB8D6417"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.51\))
Message-Id: <>
Date: Sun, 06 Nov 2022 11:41:32 +0100
To: HTTP Working Group <>
X-Mailer: Apple Mail (2.3731.300.51)
Received-SPF: pass client-ip=2a00:1450:4864:20::536;;
X-W3C-Hub-DKIM-Status: validation passed: (, signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1ord6C-007DvL-Fh bcc0f7eff03e173a7ef8e64f6f5fa040
Subject: PEM feedback on draft-ietf-httpbis-message-signatures-13
Archived-At: <>
X-Mailing-List: <> archive/latest/40527
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>


   I am very keen on this protocol becoming a standard.

The following feedback comes from trying to implement it carefully
in Scala, compiling to JS and to JVM bytecode, so that the libraries
can work in the browser and on the server.

I was just now at the stage of testing that the keys in the document
can be used to correctly sign the base strings published there (see [0])
Having such examples is very useful to test the spec, and to test
one’s implementation of course.

Everything is fine on the Java VM, but the PEM encoded keys do not
work well with the JS Web Crypto API. I wrote up one problem in [1].
The Web Crypto API being deployed in all browsers is a major platform.
As it becomes more widely adopted on NodeJS this will become
even more important. So having examples that library devs can get to
work on those platforms seems to me like an important requirement.

I asked the Web Crypto API folks in [2] what their feedback was,
and got this very helpful response by @panva which I think is worth quoting in full:

> The keys in appendix-B.1.1 are in PKCS1, which isn't accepted by webcrypto at all. Recommend using rsaEncryption OID PKCS8 and SPKI PEM or JWK if they ought to be imported as CryptoKey reliably.
> The private key in appendix-B.1.2 is 1.2.840.113549.1.1.10 (id-RSASSA-PSS). WebCryptoAPI implementations only generally accept 1.2.840.113549.1.1.1 (rsaEncryption) keys. Recommend using rsaEncryption OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
> The private key in appendix-B.1.3 is in SEC1 format, which isn't accepted by webcrypto at all. Recommend using id-ecPublicKey OID PKCS8 PEM or JWK if they ought to be imported as CryptoKey reliably.
> The keys in appendix-B.1.4 are fine but currently only Node.js and Deno runtimes implement Ed25519 as per Secure Curves in the Web Cryptography API.
> Hope this helps inform the WG. I would propose to keep the PEM keys as is and add their JWK representation.

I also think there is good reason to publish both the PEM and the JWK as we are in a
transition phase between the old binary ASN1 encodings and more semantic encodings.

I will continue working next on updating the the protocol library after
version 07 in [3]

Henry Story