This document describes all the changes made to the Authenticating Clients with HTTP Signature document, starting from its first released version.
-
Added a notice for the server implementers to ignore unsigned request headers. (This hasn't been previously stressed enough, and it could lead to security vulnerabilities.)
-
Added a notice for client implementers to take care not to allow their frameworks and proxies modify the request after it has been signed (as this could break the signature).
Upgraded to a stable version.
-
Loosened requirements on HTTP response code when invalid
Authorizationheader found. HTTP 400 is also a valid response in this case. -
Loosened requirements on the contents of the
WWW-Authenticateheader. -
Clarified that it's not necessary to verify if
keyIdmatches a proper format. It's sufficient to check if it has been registered in the Registry (and respond with HTTP 403 if it hasn't). -
Added a new server verification step: Verify
X-Request-Id.
-
Use public key digests instead of actual keys in
keyIdparameter of theAuthorizationheader (see this issue). -
Allow
Original-Dateto be used in place of theDateheader (see this issue).
-
Make it usable with the v2 security.
-
Add
security-entries.xsdfile (which describes the XML element used to identify this method of authentication in the manifest files, and the Registry). -
Upgraded
draft-cavage-http-signatures-06todraft-cavage-http-signatures-07. Still no RFC though.
Initial revision.