WebBotAuth.net

Required parameters present

The signature parameters must include created, expires, keyid, and tag.

What this check verifies

After the covered-component list, Signature-Input carries the signature parameters as ;name=value pairs. For the web-bot-auth profile four are required:

  • created - a Unix timestamp for when the signature was made.
  • expires - a Unix timestamp for when it stops being valid.
  • keyid - which key signed it, as a base64url RFC 7638 thumbprint.
  • tag - the profile label, which must be web-bot-auth.
Signature-Input: sig1=("@authority");created=1717603200;expires=1717606800;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0";tag="web-bot-auth"

This check confirms all four names are present. It does not check their values here; the timestamp bounds, the tag value, and keyid resolution have their own checks. alg and nonce are optional and not required by this check.

Why it matters

Each required parameter feeds a later step. created and expires bound the validity window so a verifier can reject stale or premature signatures. keyid tells the verifier which directory key to check against. tag identifies the profile so a verifier knows the request is claiming to be Web Bot Auth rather than some other use of HTTP Message Signatures. A missing parameter leaves one of those steps with nothing to work with.

The parameters are also part of the signed input: they appear in @signature-params inside the signature base. Adding or dropping one after signing changes the base and breaks verification, so the set has to be right at signing time.

How to fix it

Include all four parameters when you build Signature-Input:

;created=<unix-seconds>;expires=<unix-seconds>;keyid="<thumbprint>";tag="web-bot-auth"
  • Set created and expires to integer Unix timestamps in seconds, with expires after created.
  • Set keyid to the RFC 7638 thumbprint of the signing key, matching a key in your directory.
  • Set tag to the literal string web-bot-auth.

A signing library for the profile sets these for you. If you assemble the header by hand, confirm none of the four is dropped.

References

  • RFC 9421 defines the created, expires, keyid, and tag signature parameters.
  • RFC 7638 defines the JWK thumbprint used as keyid.
  • The web-bot-auth architecture draft lists created, expires, keyid, and tag as the mandatory parameters.
  • How grading works explains how a missing parameter affects the grade.

How the checker scores this

Tier
Signature
Role
Advisory. Failing this never caps the grade or changes the verdict.
Point deduction
A failure deducts 30 points; a warning deducts 8.

How grading works