HTTP Message Signatures in Go, by the Book

There are many good reasons to sign HTTP messages, to ensure authenticity and integrity of HTTP service calls (a.k.a. REST APIs). Now that RFC 9421 is finally published, we can expect many people to migrate from provisional and proprietary solutions into the standard.

My Go (Golang) implementation covers nearly the entire RFC, and has been tested with all the test vectors that are sprinkled all across the standard. The package is also reasonably well documented, with a number of examples included. It is early days for the standard - and for the Go package - so let me know if you find the library useful. And definitely let me know if something is not working right!

There’s a large community of people working now on service-to-service authentication, which just happens to be a natural use of HTTP Message Signatures. I hope my package is put to good use in securing service infrastructure.

 
1
Kudos
 
1
Kudos

Now read this

Certificate Delegation with ACME and STAR Certificates

In early March 2020, just as the world was bracing for the COVID-19 pandemic, my co-authors and I published RFC 8739. This new standard introduced the concept of short-term, automatically renewed (STAR) certificates into the X.509... Continue →