Re: HTTP Signing
"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 22 November 2019 13:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF7512007C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 05:58:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_zdBBHa4f3z for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 05:58:32 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22DB41200B9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Nov 2019 05:58:31 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iY9Pu-0000hc-Bs for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2019 13:56:10 +0000
Resent-Date: Fri, 22 Nov 2019 13:56:10 +0000
Resent-Message-Id: <E1iY9Pu-0000hc-Bs@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY9Pr-0000eo-Q8 for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 13:56:07 +0000
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY9Pp-0006B4-U6 for ietf-http-wg@w3.org; Fri, 22 Nov 2019 13:56:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1574430966; x=1605966966; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=dSJdRwxighRHK8BiTS8uGsLMGxUDeoau/aY3qi9wgU4=; b=i6Fl1SyNtEJFrstrA57Qq+Yjs4qu4XK0TD1e5FdqihphV+xul0rle1sx IxCP+V1dSJPIglkK2Tc/5jDn9sQmY3iQZx9/8VMsBGYc7TnEd8vflGhWP u6Mncve2xxSwUTsLvWhtQBDf+ndrMotTQbjCWF6GlWctoPu8+opBXRDrh o=;
IronPort-SDR: nsb94A5cMZxYQGxkG0N/hHqyYLo/si7pwAri4J203cSqHPspiHzX3jePloAuyGE+A3P6RBoRZD s6sYU2PgngvA==
X-IronPort-AV: E=Sophos;i="5.69,229,1571702400"; d="scan'208";a="5337339"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-8549039f.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 22 Nov 2019 13:56:03 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-8549039f.us-west-2.amazon.com (Postfix) with ESMTPS id 10A3AA060E; Fri, 22 Nov 2019 13:56:03 +0000 (UTC)
Received: from EX13D11UWC003.ant.amazon.com (10.43.162.162) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 22 Nov 2019 13:56:02 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC003.ant.amazon.com (10.43.162.162) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 22 Nov 2019 13:56:02 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Fri, 22 Nov 2019 13:56:02 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Roberto Polli <robipolli@gmail.com>
CC: Rob Sayre <sayrer@gmail.com>, Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: HTTP Signing
Thread-Index: AQHVoPryaObmBpnBzkG979TgWx2AmaeW4VOAgACtlYD//5QdgIAAmkaA
Date: Fri, 22 Nov 2019 13:56:01 +0000
Message-ID: <71630A99-57CA-4AD0-A55B-1A4FD50120FF@amazon.com>
References: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com> <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com> <3827BF1B-C7D7-45F5-833A-07CA72B64A12@amazon.com> <CAP9qbHU8wxrobYsV1sUsF9vdRAdetQ3Z8fcY-Y=sNdkLhHkYLw@mail.gmail.com>
In-Reply-To: <CAP9qbHU8wxrobYsV1sUsF9vdRAdetQ3Z8fcY-Y=sNdkLhHkYLw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.45]
Content-Type: text/plain; charset="utf-8"
Content-ID: <ADD198EA02D76D4C93204E2490996690@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Received-SPF: pass client-ip=72.21.198.25; envelope-from=prvs=2222bf29d=richanna@amazon.com; helo=smtp-fw-4101.amazon.com
X-W3C-Hub-Spam-Status: No, score=-16.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iY9Pp-0006B4-U6 650cda4b9a2b4d29498e15fb0dbab2b7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Signing
Archived-At: <https://www.w3.org/mid/71630A99-57CA-4AD0-A55B-1A4FD50120FF@amazon.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37177
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> Agree, though AWS4 serialization could avoid specifying payload serialization and delegate it to Digest... I'm looking forward to discussing how we should approach this in the working group. I think there's work to be done on message body signing, particularly for streaming. Neither stock SigV4 nor cavage (IIUC) handles that particularly well. > My experience with pre-11 draft-cavage resulted in insecure implementations due to under-specification about which fields to sign. From what I could tell, even on the thread you linked there was disagreement over whether Date and Expires should be included. __ Date is tricky because signature creation time seems obviously important but the signer may not have access to the value of that header. SigV4 and cavage work around this by providing alternate ways of specifying the creation time (X-Amz-Date, the created parameter). My inclination is that the core singing spec should be as non-prescriptive as possible, but it could offer guidance to profilers. – Annabelle Richard Backman AWS Identity On 11/22/19, 8:45 PM, "Roberto Polli" <robipolli@gmail.com> wrote: Hi A. Il giorno ven 22 nov 2019 alle ore 12:10 Richard Backman, Annabelle <richanna@amazon.com> ha scritto: > [..] flexibility regarding what protocol elements are covered by the signature, > [..and ..] rigorous canonicalization language. > [..] these two concepts are the key to success here. Agree, though AWS4 serialization could avoid specifying payload serialization and delegate it to Digest (see https://github.com/martinthomson/http-mice and the resulting revision of https://httpwg.org/http-extensions/draft-ietf-httpbis-digest-headers.html). Serializing the payload body brings the same problems that affected Content-MD5 https://github.com/httpwg/http-core/issues/93 > [..] produce a core signing specification that defines signature generation and validation > without getting prescriptive about what elements get signed. > That can then be profiled (here in http, in oauth, in OpenID FAPI, ...) as needed. My experience with pre-11 draft-cavage resulted in insecure implementations due to under-specification about which fields to sign. Please see https://github.com/w3c-dvcg/http-signatures/issues/35 between the others. While we can define the general procedures, we should provide a table or something of required fields thus avoiding to address issues in future docs (eg. see JWT and https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/). > That core spec is what I am currently working on, starting from cavage. > I hope to have an I-D ready to present to the working group for adoption before the end of this year. It would be great to see your ongoing work! I'm following the draft-cavage implementation from some time now, and we should try to make some merge work. I think we should take into consideration all the work done by https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html. Thanks for sharing and have a nice day, R. > Here are a couple links, in case anyone is interested in learning more about SigV4: > - Public documentation: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html > - Informational presentation I gave at IETF 105: https://www.youtube.com/watch?v=tUmT5qqlKik&feature=youtu.be&t=6400 > > – > Annabelle Richard Backman > AWS Identity > > > On 11/22/19, 4:52 PM, "Roberto Polli" <robipolli@gmail.com> wrote: > > Hi Rob & co, > > Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com> > ha scritto: > > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on YouTube[1], and it seems like it's going to end up in this WG. > Interesting thread: the video is at > https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000 > > > I'd like to suggest adopting something very similar to AWSv4. > iiuc the approach of draft-cavage and signed-exchange is very similar > and the signed-exchange workgroup made a lot of progresses. > AWSv4 seems to me quite limited and IMHO if you expand it you'll > eventually end with > draft-cavage or http-signatures. > > > I've implemented the server side of AWSv4 [...] > > it's possible to use off-the-shelf AWSv4 client SDKs, make up your own "service" name, and implement the server side of the protocol > Understand, though AWS can change that sdk in the future as that's > tied to their infrastructure. > > > [1] https://www.youtube.com/watch?v=CYBhLQ0-fwE > > [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html > > Regards, > R. > > >
- HTTP Signing Rob Sayre
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Stephane Bortzmeyer
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Rob Sayre
- Re: HTTP Signing Jeffrey Yasskin