Hi Annabelle,
Sure TLS is not th one size fits all but if you swap out Client Y signs / authenticates message A to recipient X by: Client Y uses TLS for authentication of the source (itself), integrity of data / communications and even confidentiality (not really needed in our HTTP signing use case) where TLS is initiated and handled by the client Y itself (native libs or proxy at the same host(s) then you have precisely that what HTTP Message signing should do. (authenticity, integrity and as a bonus confidentiality). That said, one can opt for HTTP signing if one wants to, except it is not secure for now and is at present for many developers a nuisance use as it turns out. If you do not want or cannot deal with TLS tunnels and yes indeed TLS connection re-use, by all means go ahead. I would advise my customers to try TLS first because it is proven and simple to implement and so easy (cheap ;-) ) to support. It is always worthwhile to at least try to get Infra on board to see if one can go the TLS route first and if that fails… well then HTTP signing or accept the risk. The issues we have at ING with 3rd parties cause us to back down from using it in general but still for those API’s wanting to have better assurance than otherwise. We do not want to provide our own libs to external parties for obvious (legal mostly) reasons. We did not go the TLS route at first, that turned out a mistake ;-). Let me conclude that I always am quite happy to see alternatives popping up and existing protocols being continuously enhanced. For this I thank you and others to continue developing protocol implementations such as HTTP message signing. Regards, Rob > On 20 Jan 2020, at 21:50, Richard Backman, Annabelle <richa...@amazon.com> > wrote: > > introduction to the HTTP Message Signatures draft > <https://tools.ietf.org/html/draft-richanna-http-message-signatures-00#section-1>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth