Anders Rundgren <> Fri, 17 July 2020 07:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 641153A1463 for <>; Fri, 17 Jul 2020 00:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.019
X-Spam-Status: No, score=-3.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oGJlcDOTAbAn for <>; Fri, 17 Jul 2020 00:53:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 126443A1462 for <>; Fri, 17 Jul 2020 00:53:10 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jwLAv-0002no-Vx for; Fri, 17 Jul 2020 07:52:58 +0000
Resent-Date: Fri, 17 Jul 2020 07:52:57 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jwLAu-0002mx-LO for; Fri, 17 Jul 2020 07:52:56 +0000
Received: from ([2a00:1450:4864:20::32b]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jwLAt-0007CA-46 for; Fri, 17 Jul 2020 07:52:56 +0000
Received: by with SMTP id f139so15868391wmf.5 for <>; Fri, 17 Jul 2020 00:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=+50gIiPO8K6MmbrRF/iolGOgyS+TbQKoR5AJXJU156k=; b=nxZJpn5INUS7WdSS0a1s6BPyowYBZehnwEwm5gt9nqB0GT/Vz4MYM/qUHH0bD3YTde /8XGPuJQGqY8cwBPQKxl8DxR5WHfo1kx/ROGdj/cIOD2hXnmmxyzo0CFvYsBkC09kdhE hpmfRvBhfrS9np0spWXxFFv1lYBBoYOGTYds3UyN2xK33i5YfAmegzoBKbwrIMFJDA3b wlG2nGvVS1eDiJBnkdiSLugaC8Cp7VB3fhgMmjNenPUlwzhdr/fNa4K9jQBrOWaKPwvm Plu+4/EV1qbYrMRl7CkhIrL6CCSASeIXchVyuBX9akwbFgXiuK6m+/OwIWdi2e/MZtPc kg9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=+50gIiPO8K6MmbrRF/iolGOgyS+TbQKoR5AJXJU156k=; b=r7BkvjheJ5Wx/qWL8whB5daUN9xYcKJ4GtP70wiTC+r65uvOFC3rqJFKFBSuV/X+ks eZccpbGt7hcf8TD+kUsWKCGyk3rXD6xSS0zJi3NWOAv2MR8dvCljjjbBoLE7lHQkzhSI GOjUrSlBUf0L+sRMzZovUYTBRYeMbSR1fnOC0k/Qfq6mjhqEhjADmdqxNYRYnkG5mlZ7 oY1Y1cA+hoiyFBtOFOZO0TRMa0bpfeGrDgRHvKJMIZrmwTeV3Qw52+dVJY6EQe6GxWLU TNrTTetJkZnBBH6uDbGaKu1JI0Lts+Ztl7UhyY3nsffKpTZm9jA1eG4cSCEpjRCg/qOe eCJg==
X-Gm-Message-State: AOAM530uTP9SJ9xjJmigZlLlM6PPsgYNvj3Y9aCqFK9lzVGiIbLohjAf +oexAxRkpHicKTP+4J85UrTKdBEGC1M=
X-Google-Smtp-Source: ABdhPJwSr26ENrP767HiJpd61uG6AtNIIlfcZmbg73tzYhEDFwG1buRflXu3Heo7XO2Lb5oAAnbBMw==
X-Received: by 2002:a1c:7706:: with SMTP id t6mr7636796wmi.3.1594972363090; Fri, 17 Jul 2020 00:52:43 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id z1sm13334215wru.30.2020. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jul 2020 00:52:41 -0700 (PDT)
From: Anders Rundgren <>
Message-ID: <>
Date: Fri, 17 Jul 2020 09:52:39 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Received-SPF: pass client-ip=2a00:1450:4864:20::32b;;
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jwLAt-0007CA-46 13d891541c885d68bcdb18439ef25f05
Subject: Serialization#draft-ietf-httpbis-message-signatures-00
Archived-At: <>
X-Mailing-List: <> archive/latest/37884
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Dear List,
Making signed HTTP requests serializable (in a reasonable way) is as far as I can tell not a part of the current agenda.

FWIW, here is a [very] raw proposal for how this could be accomplished:
- Build on JWS compact mode.
- Put a hash and attributes of the of signed HTTP header data (you're the experts on this part) in the JWS Protected Header as an extension.
- Put the payload in the JWS Payload element using the standard base64url encoding.
   Optionally use the JWS "typ" Protected Header element to specify MIME type of the payload
- Use the completed JWS compact string as the sole HTTP Body element

For JSON-formatted data there is yet another possibility: combine with "in-line/detached" JWS (
      "anyJsonElement": "something",

In both cases the HTTP Body element contains the serializable signed data.  Verifying signed HTTP header data is though not possible to perform after leaving the HTTP environment.  OTOH, for systems that actually depend on serialization, using HTTP headers as data carriers doesn't appear as a recommendable approach.  In my own work which heavily builds on counter-signatures for digital contracts, URL and current time are therefore represented in the JSON payload by "requestUrl" and "timeStamp" respectively.