RFC049: Signing the HTTP payload
Background and rationale
The present method to guarantee non-repudiation involves signing data within a JWT, used for example in the capability_object. We advocate for an alternative approach—enabling the signing of the HTTP payload. This adjustment permits the integration of non-repudiation in existing data services without modifying the HTTP body, by simply appending relevant HTTP headers that carry the hash and a signature over the hash (in a JWT).
Proposed change: purpose
By adding the ability to sign the HTTP payload, it allows existing data services to modify only the HTTP headers to enable non-repudiation
Proposed change: considerations and requirements
This suggestion aligns with the following ETSI standard: https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf
Edited by BRietveld