Re: [Acme] Signing HTTP Messages
Richard Barnes <rlb@ipv.sx> Sat, 20 December 2014 00:35 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0C51A8A10 for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 16:35:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZzg40dP-LZl for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 16:35:31 -0800 (PST)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA38A1A875E for <acme@ietf.org>; Fri, 19 Dec 2014 16:35:30 -0800 (PST)
Received: by mail-lb0-f182.google.com with SMTP id f15so1805247lbj.27 for <acme@ietf.org>; Fri, 19 Dec 2014 16:35:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=GZD7U0QKI/skWpQeBTIr/KFpOIDjK1i9lVqi7dRObAw=; b=F/EtzVCW2SM8E3XLXw1Y4Hr5d6K5mAW0UfcEMNPBsHwwS2WQT+OfMIHQAv91Xclz8n MAWzWWZ+dfI51m94FBMPsRP73z3A6C2+MbvVcDkR3XiZT2hHr7r68+trq7KaYVZTRZwA hgigCWT273wlFrMMMdyn/znSB32zw9p51XafOvs6LSXqR8/vh/knjVwymxQKH5Uqs9PO yl+rFWe1/GYpCvOToIm5zMvip7wtUzWnLvrETTPdl0bTveOUVCEefpQvz5GWj70i0po9 kv6dRvnP1J6cJ2x3U195DOtw2zYcYbzjMAMTPX99y8e64y73bdkmA1sStVkVqsOY/ajy CUvg==
X-Gm-Message-State: ALoCoQm3ad78JytcKDBchN+RNmzm9epSSl/nkpPKqvXffxoGu9DUstZQ0yRJlyiIlOlhQ8Mczw2J
MIME-Version: 1.0
X-Received: by 10.152.26.201 with SMTP id n9mr10594541lag.50.1419035729302; Fri, 19 Dec 2014 16:35:29 -0800 (PST)
Received: by 10.25.12.215 with HTTP; Fri, 19 Dec 2014 16:35:29 -0800 (PST)
In-Reply-To: <5494AE04.6070207@digitalbazaar.com>
References: <5494AE04.6070207@digitalbazaar.com>
Date: Fri, 19 Dec 2014 19:35:29 -0500
Message-ID: <CAL02cgRH8gNg2TKr+uEnFtmnQm0eR_=pQhFpUVPePqT5c9t6Pg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Manu Sporny <msporny@digitalbazaar.com>
Content-Type: multipart/alternative; boundary="089e0160a70691ae68050a9b007b"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/xrZJQnkaVPRa3oQxquU-oWEqQn4
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ACME <acme@ietf.org>
Subject: Re: [Acme] Signing HTTP Messages
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 00:35:33 -0000
Hey Manu, Thanks for reaching out. Just so the context is clear, there's nothing in ACME currently that uses an HTTP header to convey a signature structure. It's all in the body. The draft-cavage- document had been pointed out to me before. It's too ambitious :) That draft tries to solve the problem of signing an HTTP message. That's a fiendishly difficult problem because it involves headers, whose complicated, ambiguous syntax is inimical to signing. Also, middleboxes routinely tamper with headers. All I want is to sign the body of the message. HTTP treats the body as an octet string, which means there's no c14n issues. And middleboxes tamper with bodies much less often. Also, the draft-cavage- document invents its own signature syntax, when it should just use JWS. So my proposal was: Start with a Content-Signature header that just has a JWS covering the body. In some cases that's all you want, and it's a more tractable problem than covering HTTP messages as a whole. Then, if you want to protect HTTP headers later, you can add a signed attribute to the JWS (e.g., digest(canonicalized-header-info)). Does that make sense? Is that at all relevant to your use cases? --Richard On Fri, Dec 19, 2014 at 6:00 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > > > I like the idea of using a header like container for the signature. > > It makes good architectural sense and it is easy to code. A signature > > is logically meta-data and so it should be expressed as a header. > > Hey Phillip, Richard, > > I'm not on the ACME mailing list, nor do I have the bandwidth to follow > the ACME discussions (even though I love what you guys are doing over > there) but what you two are talking about here: > > http://www.ietf.org/mail-archive/web/acme/current/msg00125.html > > Sounds an awful lot like this (which has existed for years): > > http://tools.ietf.org/html/draft-cavage-http-signatures-03 > > I might be missing something, but saw your conversation fly by and > thought I'd mention it. > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: High-Stakes Credentials and Web Login > http://manu.sporny.org/2014/identity-credentials/ >
- Re: [Acme] Signing HTTP Messages Richard Barnes
- Re: [Acme] Signing HTTP Messages Richard Barnes
- Re: [Acme] Signing HTTP Messages Richard Barnes