Secure Business Data Interchange Using HTTP
James Clark: My conclusion is that there’s a real need for a cache-friendly way to sign HTTP responses. (Being able to sign HTTP requests would also be useful, but that solves a different problem.)
Perhaps RFC 4130 would be a good starting point.