HTTP Message Signatures (RFC9421)
02-27, 09:30–10:00 (UTC), Kaldalón

Signing HTTP Messages: How Hard Could It Be?


It's really hard, actually, because HTTP is super weird. We'll talk through how it works, why it works how it does, and how it could be applied to the OAuth and OIDC worlds. We'll also look back at one year of the RFC to see how people are applying, misapplying, confusing, and expanding HTTP signatures in the wild.

Justin Richer is a security architect, software engineer, standards editor, and systems designer with over two decades of industry experience. He is the lead author of OAuth2 In Action and contributor to OAuth 2.0 and OpenID Connect. Justin is the editor of a variety of standards including GNAP, HTTP Message Signatures, and OAuth extensions RFC7591, RFC7592, RFC7662, and RFC9396. Justin is a co-author to NIST SP 800-63, FIPS201, and NIST SP 800-217.

This speaker also appears in: