Re: [Atlas] Request signing
Mark Baugher <markjohnbaugher@gmail.com> Tue, 23 January 2018 01:15 UTC
Return-Path: <markjohnbaugher@gmail.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6C712D852 for <atlas@ietfa.amsl.com>; Mon, 22 Jan 2018 17:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XzaZ7Fn8gBBf for <atlas@ietfa.amsl.com>; Mon, 22 Jan 2018 17:15:00 -0800 (PST)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 367731201F2 for <atlas@ietf.org>; Mon, 22 Jan 2018 17:15:00 -0800 (PST)
Received: by mail-pg0-x22d.google.com with SMTP id 136so8485720pgd.8 for <atlas@ietf.org>; Mon, 22 Jan 2018 17:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fBLtQeEHOLCz3SzJ4q34JSsJSmkqw+75OnscB3ZeQf4=; b=EExihUsbibtVGCS+YmdvRBtvWJirMcyOTmfkw9vL7USdNPo+7Yu/5oBuZNZYWZVDab rLpsF5yaHUbd+Sf/lg4iqdWBkSrdtAeR5BJjqqRUqxawOOGENuQ0JPPbOAFoB6r6dvF/ z/IXbCQNA1re7XDpqZiDAXcM2MV3dpLqr834YpuXHVy1Uzok9ymHgQEM1/tbsgUZLEdM J/sbI5NAzcEcrMFNaiLrXVUT34qNTUMv9HAIImDCFwQCYF3tWQgeQn+mhoLMYxaJjGnA HzeS0xrKzPsH8clRWhqTIEmg2Y249qxvEWKiNqlJKUwNZeWZcWIkZglLfjTyIFmDjY6d cI5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fBLtQeEHOLCz3SzJ4q34JSsJSmkqw+75OnscB3ZeQf4=; b=T9ugcAxmMyGMiG9nPcAZ2ZvP4O+pqpoaR6HRglQli0z05jMQkIekv68E/Nj08/9DGe 6ZbAA88DQsvvFJKHFkoQwV2ADc1yAS6d2Rk5tpv9i+ZXZHVqsr7e+7o6IsLn34kYw+ca AhcsFnXwoVkX4Drlt3r7FZgfoy+Mybnc3D+Fz4t6LaQPME6CjOn02ec06fR8XQqTxmHW VXq3ayr3zg8jkmFI0lzZZ9LjdOkmA4kJfQ5kxVmrGZSVydgp7eVJEw6lIxmKEKqhvvZO 0WCtwuHDpPOC0RO/XSd6lLFMwC7uLK7CdCZ3jO3s/2wpQBWPA+L/FpMWyrzHmdHdEO0Y IlFA==
X-Gm-Message-State: AKwxytdb0mMPUG6qgUAFBlVuYvQ33Re5+UtCO5FHaFgk2MSQlEebH3sN MEYQ2VQijfYrHJ2lo1/kTcX3rmkE
X-Google-Smtp-Source: AH8x224OAYLABqDj80GIVc86NjLzbQv8A3qFiKjozI7DtP0dC09npTk4BKF5VFWqhI4/c0CaHP2C0w==
X-Received: by 10.101.85.15 with SMTP id f15mr7914481pgr.153.1516670099647; Mon, 22 Jan 2018 17:14:59 -0800 (PST)
Received: from [192.168.1.5] ([24.22.21.140]) by smtp.gmail.com with ESMTPSA id i192sm9709299pgc.8.2018.01.22.17.14.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jan 2018 17:14:59 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Mark Baugher <markjohnbaugher@gmail.com>
In-Reply-To: <E02DE08B-5435-4C28-BADE-DC73AA0B5E7C@vigilsec.com>
Date: Mon, 22 Jan 2018 17:14:57 -0800
Cc: Phil Hunt <phil.hunt@oracle.com>, atlas@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <41A659FF-291F-47E9-8511-B30984FF8611@gmail.com>
References: <13811A5D-991C-4BE4-9218-4B68D78C0141@oracle.com> <E02DE08B-5435-4C28-BADE-DC73AA0B5E7C@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/0Mgo6ogZEckbe3ITZwv8XP1QPxE>
Subject: Re: [Atlas] Request signing
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 01:15:02 -0000
Hi > On Jan 22, 2018, at 1:20 PM, Russ Housley <housley@vigilsec.com> wrote: > > This was the primary goal of SHTTP. See RFC 2660. Of course, SHTTP never saw wide-spread deployment. I recall it was a specific solution for a specific protocol. Can't a generic protocol accomplish that as well? I see ATLAS as a generic solution that does at least some of what CMS (RFC 5652) does, but ATLAS uses TLS key establishment. My view of ATLAS comes from working on the problem of end-to-end IoT security, e.g. through middle boxes: Both CMS-style encapsulation and application-level TLS have been proposed for IoT messaging. To me, a compelling reason for re-using TLS/DTLS is key establishment. A compelling reason for considering CMS-style encapsulation (COSE,OSCOAP) is adaptation to different application protocols, which may have different needs and require different profiles for what gets exposed between endpoints. So, can ATLAS provide the sort of function SHTTP provided or that Phil asked about? I don't know. I still don't know if using ATLAS for IoT encapsulations like CBOR is a win over COSE. We know there is a need for this: COSE lacks key management and that's a lot. Chat protocols took a long time to achieve end-to-end confidentiality and integrity through WhatsApp/Signal (following years of refusal by the industry to deploy CMS for that purpose). There are other applications that need end-to-end security. What if we could do that with one protocol that includes both key management and secure enveloping? Mark > > Russ > > >> On Jan 22, 2018, at 2:41 PM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >> A problem that keeps coming up in HTTP is the ability to sign requests/responses. Some see this as additional security, but others see this as beneficial for after-the-fact verification (e.g auditing). >> >> If ATLAS proposes to encapsulate HTTP to prevent interference by intermediaries than it likely would also solve problems that HTTP request signing proposals have not been able to overcome — the possibility that intermediaries may alter HTTP requests for good (or bad) reasons. >> >> Has this been discussed? >> >> Thanks, >> >> Phil >> >> Oracle Corporation, Identity Cloud Services Architect >> @independentid >> www.independentid.com >> phil.hunt@oracle.com > > _______________________________________________ > Atlas mailing list > Atlas@ietf.org > https://www.ietf.org/mailman/listinfo/atlas
- [Atlas] Request signing Phil Hunt
- Re: [Atlas] Request signing Russ Housley
- Re: [Atlas] Request signing Hannes Tschofenig
- Re: [Atlas] Request signing Mark Baugher
- Re: [Atlas] Request signing Phil Hunt