I'm totally on board with that but want to clarify. The draft states that it maintains "normative compatibility" with Cavage which includes a spec for using the Authorization header. Are there specific reasons to avoid using the Authorization header (aside from situations where it's being used for something else)? It would be nice if the spec included a discussion of this.
All mentions of using the
Authorizationheader to carry the signature were removed from https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures (comparing to https://tools.ietf.org/html/draft-cavage-http-signatures-12 which I originally wrote my implementation to).I'm totally on board with that but want to clarify. The draft states that it maintains "normative compatibility" with Cavage which includes a spec for using the Authorization header. Are there specific reasons to avoid using the Authorization header (aside from situations where it's being used for something else)? It would be nice if the spec included a discussion of this.