1

There is a standard header for giving a digest of an HTTP request body (Content-MD5).

Is there a commonly-used header name for including a DSA signature of a digest (generated with openssl dgst -dss1 -sign <keyfile>), or do I need to just invent an application-specific one?

OrangeDog
  • 36,653
  • 12
  • 122
  • 207

3 Answers3

1

It's looking to me like you'd need to invent an application-specific one (a quick google search turned up nothing), but if other people do use this then the most common header would probably be something along the lines of X-Content-DSA.

demize
  • 364
  • 1
  • 15
  • But if someone is using X-Content-DSA, or Content-DSA would ever end up in the standard, I want to make sure mine would be exactly the same thing and not, for example, using a different digest algorithm or a different key length. – OrangeDog May 16 '12 at 11:04
  • @OrangeDog As far as I can tell, there is nobody else using it. If you're worried about compatibility issues though, you can always name your header something like `X-OrangeDog-DSA` since that would be unique. If you want other people to use it, then you can write an I-D and submit it as an RFC, but this would likely be a long and torturous process (for more details see [here](http://www.rfc-editor.org/pubprocess.html)). – demize May 16 '12 at 19:52
  • Yeah, that's what I meant by an application-specific name. – OrangeDog May 16 '12 at 19:59
  • Yeah, then I'd suggest `X-something` where something is a portmanteau of your app name and DSA. – demize May 16 '12 at 23:51
0

I think I want to be looking at S/MIME instead, the standard for constructing entity bodies that are encrypted and/or signed.

Community
  • 1
  • 1
OrangeDog
  • 36,653
  • 12
  • 122
  • 207
0

There is a proposal for signing HTTP messages. First proposed in 2013, it has seen many revisions in the past two years, hopefully an indication of activity moving it forward.

According to the proposal, the request sender can sign a desired amount of header fields and the URL using their algorithm of choice. The signature is added using the Authorization header with specific format. To sign the request payload, the payload digest is included in the HTTP Digest header and that header is included in the signature.

Community
  • 1
  • 1
Sampo
  • 4,308
  • 6
  • 35
  • 51