S/MIME is not for Mail Only

, Oct 8, 2007

James Clark thinks there’s a real need for a cache-friendly way to sign HTTP responses — to get the benefits of HTTP caching while ensuring integrity. Sam Ruby points to RFC 4130, which explains how to combine S/MIME with HTTP:

The data is packaged using standard MIME structures. Authentication and data confidentiality are obtained by using Cryptographic Message Syntax with S/MIME security body parts. Authenticated acknowledgements make use of multipart/signed Message Disposition Notification (MDN) responses to the original HTTP message.