Forbid "(request-target)" in response signature

[liamdennehy]

Right now there is no way for a response to transport all the parameters required to reconstruct the (request-target) signing string component.

As the messages are exchanged obviously both the client and server know the values, as one transmitted and the other reacted to those in the other half of the conversation, but any signature should be verifiable given only the evidence of the content it protects.

Since this information is not present on a response, (request-target) should be prohibited from appearing in a response signature's headers. If required the server should construct a header specifically for this purpose, which could be as simple as Request-Target, and so no special handling is required to sign it.