Skip to content

Add support for special headers `(created)` and `(expires)`

For these two headers you need to include them in the Signature field while signing, and read them off of the Signature header while validating. This comes from ref 11+ of the cavage draft:

See #2,,

Note that the following checks are yet implemented, I wonder if you would like to include them:

  • Require that created and expires are timestamps
  • Require that the two timestamps are in the past/future respectively
  • Require that keys including these two in the headers are not rsa, hmac or ecdsa

Merge request reports