HTTP header for entity signature
https://stackoverflow.com/questions/10599469
-
09-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
There is a standard header for giving a digest of an HTTP request body (Content-MD5).
Is there a commonly-used header name for including a DSA signature of a digest (generated with openssl dgst -dss1 -sign <keyfile>), or do I need to just invent an application-specific one?
Solution 2
I think I want to be looking at S/MIME instead, the standard for constructing entity bodies that are encrypted and/or signed.
OTHER TIPS
It's looking to me like you'd need to invent an application-specific one (a quick google search turned up nothing), but if other people do use this then the most common header would probably be something along the lines of X-Content-DSA.
There is a proposal for signing HTTP messages. First proposed in 2013, it has seen many revisions in the past two years, hopefully an indication of activity moving it forward.
According to the proposal, the request sender can sign a desired amount of header fields and the URL using their algorithm of choice. The signature is added using the Authorization header with specific format. To sign the request payload, the payload digest is included in the HTTP Digest header and that header is included in the signature.
