HTTP Message Signatures (RFC 9421) in fetch and Request/Response

[panva]

I've been chatting with @jricher, one of the authors of RFC 9421 HTTP Message Signatures¹, at the OAuth Security Workshop (#osw10) in Iceland and at IETF 121 Dublin about the forming of TC55 and its fetch() related workstream.

Setting up application-level signatures has never been easy but with RFC 9421 being published last year there's finally a solid framework to be able to make it so. I believe an integration of HTTP Message Signatures and Web Crypto APIs CryptoKey would be a worthwhile and Web API-native solution.

Justin and I are both willing to collaborate on bringing HTTP Message Signatures support to server-side fetch() and Request/Response APIs (the former in hopes of it even standing a chance of ever appearing in browserland).

Footnotes

1. Playground for HTTP Message Signatures ↩

[lucacasonato]

I think we should consider this work only if we see no path for doing this directly in WHATWG - this seems like something that would be interesting in browsers too.