```ruby require 'json' require 'http'

post '/inbox' do signature_header = request.headers['Signature'].split(',').map do |pair| pair.split('=').map do |value| value.gsub(/\A"/, '').gsub(/"\z/, '') # "foo" -> foo end end.to_h

key_id = signature_header['keyId'] headers = signature_header['headers'] signature = Base64.decode64(signature_header['signature'])

actor = JSON.parse(HTTP.get(key_id).to_s) key = OpenSSL::PKey::RSA.new(actor['publicKey']['publicKeyPem'])

comparison_string = headers.split(' ').map do |signed_header_name| if signed_header_name == '(request-target)' '(request-target): post /inbox' else "#{signed_header_name}: #{request.headers[signed_header_name.capitalize]}" end end

if key.verify(OpenSSL::Digest::SHA256.new, signature, comparison_string) request.body.rewind INBOX << request.body.read [200, 'OK'] else [401, 'Request signature could not be verified'] end end ```

``` Server: imap.ietf.org Port: 143 or 993

For authenticated access use your datatracker login and password.

For anonymous access use username="anonymous", and provide your email address as a password. ```

imaps://imap.ietf.org

Is the entropy from Q_plain really needed? A reason for it would be that the client provides randomness with the nonce contained in Q_plain, in the sense of a contributive key exchange. However, the client already contributes the HPKE ephemeral key.

If the Extract step should stay, I suggest changing the order of Q_plain and odoh_secret. The value odoh_secret is of fixed size and uniformly random, and thus fits better as salt to HKDF-Extract. If the first value is longer than a hash function block size, HMAC will do an additional hashing step: This seems easily possible for Q_plain.

How is this defined?

What kind of keys are meant here? Unique target public keys per client?

The function could receive only ct instead, as it does not use enc, and setup_query_context already splits Q_encrypted.

The function does not use this parameter.

The context is not returned by this function, but required as parameter to decrypt_response_body.

config contains kem_id, kdf_id, aead_id, and the public key. Why is entropy extraction needed here?

The registry with the listing for cite-as is here. https://www.iana.org/assignments/link-relations/link-relations.xhtml