Strong authentication for the web

HTTPsec is a strong authentication scheme for HTTP transactions. It defines an HTTP extension for mutual authentication and message origin authentication, via the integrity protection of a defined set of HTTP message headers. It offers message sequence integrity, forward secrecy, and optionally content integrity and content ciphering.

HTTPsec can authenticate any web traffic between any identities or peers that can provide certificates or RSA public keys. HTTPsec is designed for scenarios where credential-based schemes are inappropriate for architectural reasons or are simply considered too weak. It is also appropriate where message-layer security requirements are not otherwise satisfied by transport-layer or network-layer security protocols. It is however not intended as a substitute for lower- or higher-layer security protocols, and indeed may usefully coexist with these.

See the HTTPsec homepage for more information and specifications.

Secarta products include implementations and applications of HTTPsec.