What HttpSig headers should be signed?

[bblfish]

The HTTPSig spec allows any number of headers to be signed. One very useful discussion to be had will be which are the most important headers that need to be signed, which create problems, ....

Latest spec to check is https://github.com/bblfish/authentication-panel/blob/sigUpdate/proposals/HttpSignature.md

[bblfish]

Principle: there should be enough headers to avoid a replay attack.

All signatures contain a timestamp, so that means that we should at the very least sign

• the method used -- using @method see §2.2.1
• the URL to which the request is sent -- using @target-uri §2.2.2

That would avoid the same signature being used by an app to make multiple requests.

[bblfish]

Just after i wrote this up I received an answer by @jrichter suggesting using the Accept-Signature field of the Http Signatures spec.

• Following the previous point, I’d recommend at least signing the @path or @target-uri of the resource request (especially since Solid nodes are all URI-based).

which is what I had concluded myself above, but it is good to have confirmation...

• I’d recommend using the “nonce” and “tag” parameters in the signature as well.

which I had forgotten about... The point of tag is explained in Collision of Application-Specific Signature Tag

[bblfish]

Section §7.2.2 Signature Replay, considers nonces to avoid signature replay attacks. In the initial demo I put together recently the client signs requests before receiving a 401 in order to avoid one round trip to the server. But how would that work with nonces?

I think all I need is for each resource to keep a log of the past n minutes of requests, where n is the
lifetime of a signature so that it can check that a nonce has not been reused...