Re: [http-auth] First draft of HTTP Signatures published
Phillip Hallam-Baker <hallam@gmail.com> Thu, 16 May 2013 14:04 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E3221F9344 for <http-auth@ietfa.amsl.com>; Thu, 16 May 2013 07:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tvl+qHyoqMO5 for <http-auth@ietfa.amsl.com>; Thu, 16 May 2013 07:04:55 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) by ietfa.amsl.com (Postfix) with ESMTP id 0640F21F92EC for <http-auth@ietf.org>; Thu, 16 May 2013 07:04:54 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id hr14so6280398wib.15 for <http-auth@ietf.org>; Thu, 16 May 2013 07:04:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=cmDK7pzfZxfVZX8hh0H5zdn3jQHAMvLKQMSaOeLXLwg=; b=za0koRDOTu0tmd92fVGK1t8KumR3yOG7L4RGl/RMLDbWCGXd3GcNNyV4tDn39Em63O iMEYmGcEM5mWu13fJ/nwjBEDS/X4giiVKpHFvlpJYCoclSFzR5sY2IWWZcTLIUNZSoeU ZPUmwLeSglY5KHUAEYbASyvdEuV9WDb3n2TDJZIrfHqCeKJOJVpfIpGDLfqwpfxo2NRV AncsknQYQnbR+v8IH3li56WJMqJlv9f4e/mNaDAaYTA3VV3JYacvMdrDprPcAJTm/vDu CyZgEC9OHU/1SaKmwTPs0d59XHseIK5c1mfofVkkTb9sQuoUoDVd0ioykJGtBRsJDrSV f3JA==
MIME-Version: 1.0
X-Received: by 10.180.212.3 with SMTP id ng3mr25056258wic.22.1368712632037; Thu, 16 May 2013 06:57:12 -0700 (PDT)
Received: by 10.194.162.8 with HTTP; Thu, 16 May 2013 06:57:11 -0700 (PDT)
In-Reply-To: <51911E5A.1000309@andrew.cmu.edu>
References: <518D3C8B.3080807@digitalbazaar.com> <255B9BB34FB7D647A506DC292726F6E1150D5134B8@WSMSG3153V.srv.dir.telstra.com> <31478_1368464556_r4DH2YHq000867_CAD4=_i4cCvYccigAR1eTaNRhLOWciPHfGO2OG+ahZEaouqhFow@mail.gmail.com> <51911E5A.1000309@andrew.cmu.edu>
Date: Thu, 16 May 2013 09:57:11 -0400
Message-ID: <CAMm+Lwj2wwPearLn86D6apdO2FQOkBcPgfb9Xtq1EfdhE=3ibA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Ken Murchison <murch@andrew.cmu.edu>
Content-Type: multipart/alternative; boundary="001a11c356f43b77a404dcd63ece"
Cc: HTTP Auth WG <http-auth@ietf.org>
Subject: Re: [http-auth] First draft of HTTP Signatures published
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2013 14:04:56 -0000
HTTP Session Continuation is a separate spec but I would like to share as much as possible between them. http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt Early versions of the session continuation mechanism included header signing. That is a real headache. The only way that I think it can be made to work reliably is to duplicate the information that you want to sign into the signing header which is the approach in DKIM. For HTTP transactions, the only headers that I think should ever be signed are content meta-data. The reason signing is hard in SMTP and HTTP is that there is a huge confusion between headers used for routing and headers that are properly part of the content. This is perhaps a change that could be made in HTTP/2. You will find a lot of objections being made of the form 'this will break when intermediaries change content'. And they will continue to be made no matter how many times you point out that detecting changes to the content and rejecting that transaction is the whole objective. So there will need to be some statement to the effect that the intended behavior is to prevent all types of content modification. We don't yet know what the effect of intermediaries is on the request line and I suspect that as we get into tests we are going to discover that we have to do some form of canonicalization. For example, I strongly suspect that we are going to want to combine the Host-Name header and http method into the request line to make it a canonical url.
- [http-auth] First draft of HTTP Signatures publis… Manu Sporny
- Re: [http-auth] First draft of HTTP Signatures pu… Yoav Nir
- Re: [http-auth] First draft of HTTP Signatures pu… Stephen Farrell
- Re: [http-auth] First draft of HTTP Signatures pu… Yoav Nir
- Re: [http-auth] First draft of HTTP Signatures pu… Manu Sporny
- Re: [http-auth] First draft of HTTP Signatures pu… Manu Sporny
- Re: [http-auth] First draft of HTTP Signatures pu… Manu Sporny
- Re: [http-auth] First draft of HTTP Signatures pu… Manger, James H
- Re: [http-auth] First draft of HTTP Signatures pu… Mark Cavage
- Re: [http-auth] First draft of HTTP Signatures pu… Ken Murchison
- Re: [http-auth] First draft of HTTP Signatures pu… Phillip Hallam-Baker
- Re: [http-auth] First draft of HTTP Signatures pu… Michael Richardson
- Re: [http-auth] First draft of HTTP Signatures pu… Phillip Hallam-Baker
- [http-auth] Session continuation and authenticati… Ilari Liusvaara
- Re: [http-auth] Session continuation and authenti… Stephen Farrell
- Re: [http-auth] Session continuation and authenti… Michael Thomas
- Re: [http-auth] Session continuation and authenti… Phillip Hallam-Baker
- Re: [http-auth] Session continuation and authenti… Ilari Liusvaara