Over the past 6 months off and on I’ve been researching and prototyping various security related features for Resteasy.  One thing I’ve wondered is, is anybody really doing anything with HTTP message signing and encryption?  Email seems pretty well rounded in this area with specifications like DOSETA/DKIM and SMIME.  You could theoretically apply these specifications to HTTP, and I have, but I could find no examples of people doing so on the Web.  Maybe its just that my Google searching skillz are poor.

Another thing I’ve noticed is that the crypto libraries (bouncycastle and python’s M2Crypto) pretty much center around email as the protocol and you have to dive into the codebase a bit to figure out ways to transmit things over HTTP. Bouncycastle relies on javax.mail multipart implementation which is a bit limited and not very lenient on parsing (Didn’t like python’s SMIME output).

Anyways, I hope to do a Resteasy 2.3 beta soon with SMIME support.  With it I’ll have examples of Python clients posting to Resteasy services transmitting SMIME formated requests.  I’ll post a few blogs on the subject so you can see how to transmit SMIME between M2Crypto and Bouncycastle. (Python and Java).

In the meantime, does anybody have any experience in this area?