IETF Logo Mail Archive

Re: Call for Adoption: draft-richanna-http-message-signatures

Orie Steele <orie@transmute.industries> Mon, 20 January 2020 23:12 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E23E120241 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jan 2020 15:12:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySqlY4ZPU2qj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jan 2020 15:12:35 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7460412011D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Jan 2020 15:12:35 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1itgB3-0004C2-BL for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Jan 2020 23:09:49 +0000
Resent-Date: Mon, 20 Jan 2020 23:09:49 +0000
Resent-Message-Id: <E1itgB3-0004C2-BL@frink.w3.org>
Received: from uranus.w3.org ([128.30.52.58]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <orie@transmute.industries>) id 1itgB1-0004BP-UI for ietf-http-wg@listhub.w3.org; Mon, 20 Jan 2020 23:09:47 +0000
Received: from www-data by uranus.w3.org with local (Exim 4.92) (envelope-from <orie@transmute.industries>) id 1itgB1-0005mi-Ok for ietf-http-wg@listhub.w3.org; Mon, 20 Jan 2020 23:09:47 +0000
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <orie@transmute.industries>) id 1itg9s-0004Ai-OL for ietf-http-wg@listhub.w3.org; Mon, 20 Jan 2020 23:08:36 +0000
Received: from mail-pj1-x1030.google.com ([2607:f8b0:4864:20::1030]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <orie@transmute.industries>) id 1itg9q-0003k8-GP for ietf-http-wg@w3.org; Mon, 20 Jan 2020 23:08:36 +0000
Received: by mail-pj1-x1030.google.com with SMTP id n96so410462pjc.3 for <ietf-http-wg@w3.org>; Mon, 20 Jan 2020 15:08:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=K64gcXeq3BQstRT+dSoyllUws/ER8DjCi2a1nyU6IpY=; b=IIS+N7Y2RsJhaqMGC651cYINkxW8KZoRv8FBAwGbrE15T+M3z2xafeW/Ij80F2iadH RXL/fliHG2sfFLw6v6gj4kmcCI3/po3X7Hc6rcxU6h/pjUNnFfXBVYH0rgbzCngHKhoh 6psZCJblJD7FZUnnAOSJfLc3yC4lyL37KK14kP/AekIwayHaGqOkRB3eYPBoFvy5l+WX W4jz2ZcveFggJ9R3Jle9xigL1Et2CowsMjrwgQov9AHWks36BiMabyquTQJdO9NHnDmd 1kgS6/wVrRiTP5Z6c0aqo7cDmrqBpxjPtBy09XiuEPFsH1cwMkK2iHGE5RBQBDPyu9Kb y1Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=K64gcXeq3BQstRT+dSoyllUws/ER8DjCi2a1nyU6IpY=; b=iH2fwRFe67sNG3nTZNaEhTl7Y6IgGQlrUUQy036vnSlFXxuN4Vr97eAhuuZl2ROC82 HW+05F9qSvM/UbZdaQHbtRDyraSmmdnap9iG19RZW2qI6ISNI6gl1PQ8UBF79cGfeCUK mttRvJ3Od8tPGhY0/rurtXq2sFOpAa9flLHupaCYrYxe+s+0wbHha/mZfbX1ROpj9yPG dsC0Md5qRhrI7G/RZ7E7FVDdCE44BjBE6H+xSy6js+cQ76w36v00KsA/5NncysfritfB GfV9swnODRDOe26qsD4C2GI1MOmKSIYCkwoywb1wERnxxXDkI9sbxUu+S9QRmD2M1OLw 7SQw==
X-Gm-Message-State: APjAAAVkBac7ixbSbayQFMb+gkttQFDppKy1VOhuWG1FvKRxIp1gJpJX 2tRkEi2tF2INOSuFEiWezHkIvxOFzK0e0vsAnnQkiN58a7MKQg==
X-Google-Smtp-Source: APXvYqzSpA+URqf9Y+uU7fHEDLCD/u/lAqyJcOyKBJPJCkkz8HZg9WgO7wyVJfmSYEt10fdU1bkr7WnUysIZAdJohPM=
X-Received: by 2002:a17:90a:238b:: with SMTP id g11mr1689997pje.128.1579561711072; Mon, 20 Jan 2020 15:08:31 -0800 (PST)
MIME-Version: 1.0
References: <76565D7E-C7F5-4D5D-BE3A-6E686E096B14@mnot.net> <EAC1AEFA-D404-4EE1-91AC-03D5F5DA7B99@bblfish.net>
In-Reply-To: <EAC1AEFA-D404-4EE1-91AC-03D5F5DA7B99@bblfish.net>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 20 Jan 2020 17:08:20 -0600
Message-ID: <CAN8C-_Jfxv59ULZgMLnDNEibSee2FrJdKjJ4MiHXB17W7C4r6w@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b08a55059c9a5e77"
Received-SPF: pass client-ip=2607:f8b0:4864:20::1030; envelope-from=orie@transmute.industries; helo=mail-pj1-x1030.google.com
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1itg9q-0003k8-GP 6ed3b87f1bcd5eef96d9ee6cb4636f10
X-caa-id: 441ca5832d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-richanna-http-message-signatures
Archived-At: <https://www.w3.org/mid/CAN8C-_Jfxv59ULZgMLnDNEibSee2FrJdKjJ4MiHXB17W7C4r6w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37255
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

First time contributing like this, worry if replying like this breaks the
counting mechanism, it seemed nicer than hitting the mailing list
directly...

I done enterprise software development since 2008, including SOA, SOAP,
WSDL, and the newer stuff like Blockchain, GraphQL, Smart Contracts, and
Linked Data Signatures, etc...

I have used HTTP Signatures to configure Oracle Cloud resources
programmatically:

-
https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm

As well as Authorization Capabilities for Encrypted Data Vaults:

- https://w3c-ccg.github.io/zcap-ld/

Here is a link to the blog post and demo which uses HTTP Signatures from
the client web browser to the edv server (as well as DIDs):
https://medium.com/transmute-techtalk/encrypted-data-vaults-c794055b170e

I have also used HTTP Signatures to implement integrations between DIDs and
activity pub, though those were all tech spikes (unpublished), it was based
on this blog post:
https://hacks.mozilla.org/2018/11/decentralizing-social-interactions-with-activitypub/

My experience with HTTP Signatures has been good.

I'm mostly interested in contributing to defining how HTTP Signatures can
be used with Decentralized Identifiers and Verifiable Credentials, as we
already have implementations of these integrations which we are seeking to
strengthen through contribution to a robust standards development process.

Regards,

OS

ᐧ

On Mon, Jan 20, 2020 at 4:06 PM Henry Story <henry.story@bblfish.net> wrote:

> Dear editors,
>
> > On 9 Jan 2020, at 05:33, Mark Nottingham <mnot@mnot.net> wrote:
> >
> > To that end, this is a Call for Adoption of
> draft-richanna-http-message-signatures-00. Since there hasn't been
> extensive discussion yet, we're looking for more confirmation than just
> absence of objection; we'd like folks to read the document and state
> explicitly whether they support it as a starting point for a work item.
>
> I support the call for adoption.
>
> I have been active in the decentralised authentication space for
> over 10 years. I came to this around 2008 by noticing that one could
> retrofit TLS Client certificates with a decentralised identity system
> initially called foaf+ssl [-1] and later called WebID-TLS [0], to help
> build secure decentralized social networks.
>
> It always was clear that TLS client certificates were not perfect
> but the hope was that the TLS community would over time be able
> to improve the client certificate authentication.
>
> https://www.w3.org/2005/Incubator/webid/spec/tls/
>
> These communities had other priorities.
>
> Furthermore the problem with client TLS certificates are numerous:
>  * they don’t fit well with HTTP/2.0 and break the layering
>  * the certificates are in ASN.1, an old pre-web format
>  * for the uses of decentralised hyper-apps that need to
>  fetch data from many different servers, this posed the risk
>  of users being overwhelmed with certificate requests
>  (Though this could have been solved by allowing users to
>   set policies)
>  * …
>
> 5 years ago with the JS-Crypto API having gained traction
> and having become aware of draft-cavage-http-signatures-05
> I implemented it in the prototype Solid server [1]
> and wrote a client library that could save the keys
> to local storage and authenticate by passing a WebID URL in
> the keyId [2] field. The logic is very similar to WebID-TLS
> and just as simple but it fits much better the HTTP-2.0
> architecture.
>
> I wrote up a first sketch of a draft of such an authentication
> protocol in September 2019,
>
> https://github.com/solid/authentication-panel/blob/master/HttpSignature.md
>
> Because the client UI is not integrated into the browsers as with TLS,
> a lot of the functionality will need to developed as libraries. One
> thing that will be needed is what I initially called a LauncherApp but
> that can be thought of as a KeyChain, that could control the credentials
> and keys for all the users apps [3].
>
> I have been less active in the past 3 years programming as I
> somehow ended up doing a PhD on all of this with the aim of
> developing a security logic to ground this.
>
> If you are interested you can see my second year report here
> http://co-operating.systems/2019/04/01/PhD_second_year_report.pdf
>
> In summary my early experience with HTTP-Signature was very good.
> It is simple and flexible and seems to be a good candidate for a
> decentralised authentication framework.
>
> Henry
>
> If I had a suggestion it would be to consider allowing the keyId
> field to be a URI, either relative (one could think of it being that
> now) or absolute.
>
>
> [-1] https://bblfish.net/tmp/2009/05/spot2009_submission_15.pdf
> [0] https://www.w3.org/2005/Incubator/webid/spec/tls/
> [1]
> https://github.com/read-write-web/rww-play/blob/dev/app/rww/auth/HttpAuthentication.scala
> [2]
> https://github.com/read-write-web/rww-scala-js/blob/akka.js/src/main/scala/rww/store/KeyStore.scala
> [3]
> https://github.com/solid/authorization-and-access-control-panel/blob/master/Proposals/LauncherApp.md
>


-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

v2.23.0 | Report a Bug | By Email