I'm looking at the Readme.md for http-signing that is part of Joyent's node-http-signature module, and it says to use a "special name" to include the HTTP request target into the signature base:
To include the HTTP request line in the signature calculation, use the special request-line value. While this is overloading the definition of headers in HTTP linguism, the request-line is defined in RFC 2616, and as the outlier from headers in useful signature calculation, it is deemed simpler to simply use request-line than to add a separate parameter for it.
Including request-line would imply including text like POST /url/path/here HTTP/1.1 into the signature base.
Conversely draft 03 of the spec says to use a different "special value" to include the request target:
If the header field name is
(request-target)then generate the header field value by concatenating the lowercased :method, an ASCII space, and the :path pseudo-headers
Yes, (request-target) in parens.
With the former, the signature base for a request might look like:
POST /foo HTTP/1.1 + "\n"
date: Tue, 07 Jun 2011 20:51:35 GMT + "\n"
content-type: application/json + "\n"
content-md5: h0auK8hnYJKmHTLhKtMTkQ==
...whereas with the latter, the signature base for the same request would look like this:
(request-target): POST /foo + "\n"
date: Tue, 07 Jun 2011 20:51:35 GMT + "\n"
content-type: application/json + "\n"
content-md5: h0auK8hnYJKmHTLhKtMTkQ==
So which is authoritative? I doubt that there will remain two ways to include the method and path into the signature base.
I suspect "implementations rule", but I'd like to know the real intention.