If you use HTTP Signatures for authentication and authorization of HTTP Get requests, you need to process HTTP Signatures synchronously anyway. So this is an issue that needs to be solved, if one want to build an instance that is somewhat “secure”. This is not the thread to define what “secure” means.
I’m currently trying to write up a nlnet proposal that basically combines
- this issue
- with the idea in this thread
- and ideas I discussed in the test suite
The end result will hopefully be something that tells everybody what they implemented incorrectly.