Re: feedback on draft-ietf-httpbis-message-signatures-13

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 17 October 2022 16:48 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A27C1524C4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 17 Oct 2022 09:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.063
X-Spam-Level:
X-Spam-Status: No, score=-5.063 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMR-h0ayBdmj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 17 Oct 2022 09:48:31 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88A48C1524BB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 17 Oct 2022 09:48:31 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1okTFR-00FLdH-9a for ietf-http-wg-dist@listhub.w3.org; Mon, 17 Oct 2022 16:45:53 +0000
Resent-Date: Mon, 17 Oct 2022 16:45:53 +0000
Resent-Message-Id: <E1okTFR-00FLdH-9a@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <anders.rundgren.net@gmail.com>) id 1okTFP-00FLbz-Go for ietf-http-wg@listhub.w3.org; Mon, 17 Oct 2022 16:45:51 +0000
Received: from mail-wr1-x42b.google.com ([2a00:1450:4864:20::42b]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <anders.rundgren.net@gmail.com>) id 1okTFO-00Eb2y-7d for ietf-http-wg@w3.org; Mon, 17 Oct 2022 16:45:51 +0000
Received: by mail-wr1-x42b.google.com with SMTP id w18so19338443wro.7 for <ietf-http-wg@w3.org>; Mon, 17 Oct 2022 09:45:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=7WmXXYRu2jH0lxUaq4Q52WvTA+u4JLWPKK5d5gS6XHQ=; b=MGbrlCeiI4l2eIsPdBOCnUXbLfx4yQKJASVTYjc6JGfdNfSzz5DQujofFQ0k9Rytda 6ZFaILdf+QAnlUE0XanaLEDiifT6ATMJJzlzQzizkmr6PFXrBMX9JNMxpIOwFA+v5Mti u4Q67sqI5Mcl9L1lWId+WS8Chn/qPgj+00xq39ohgaxiRGT1OID2Utk+vuBOYmZ1FcVL RJSrRyNpYCmyBDdhBSgw5+xTACHIOwlro4MFBS5qKehKDvYGsraxdr3No8+t0pp9mgkr wUF+GHlADxyUQ0haFOARRiCwzBkpiZcmpxaD2oWAvLXTH3ddIFnfxPYcb1BWbrvqhgvD P/Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7WmXXYRu2jH0lxUaq4Q52WvTA+u4JLWPKK5d5gS6XHQ=; b=uBUfCMLzNxoD4Rk4vrvnlk5Wxmaz0DE43hY7NDv85yvYENnHZBtxdYAl4h8QCN7XHb jm9fZj6PhNy/kOO6HOoHd7JmJIZGL4QfbbCrm/XqSciTZaIFTvUtPoey79AiXRHgj9l5 flCAWNV70EQn9wvi4Cu9cIorddzmF9qjrR3k0zoV4gCPidoXwBGE9ToKwZn/GjkzL/pe h8FxuhSB8Ki+NwWRtUWXrAa1x+j/LTglRE6FVGQKX3AM622v2tHKUfPobiUUk5QmY3mp zAHpypDXqzKjRnL9KmKhfBEy4J6UP7ezw9MRtfTHdEPNlWXX4jtq7ApQM9l4puB+Eg4U N2Ew==
X-Gm-Message-State: ACrzQf3S/W8qC2wAWuq+XAm8KNhfBC4H8FQq0VHjY6rNBpPodhngKy6q 2GpPGaQqcKaZBDhwemV7NvuPosS+mOU=
X-Google-Smtp-Source: AMsMyM5PT6m7NqEVPDx36VfoxV9lwFGAlTS+ib02ypT41cu/Zgf+q/Q2YYzrh0WgjIONDqB7bTHmlA==
X-Received: by 2002:a5d:524c:0:b0:22e:39c9:3567 with SMTP id k12-20020a5d524c000000b0022e39c93567mr6405752wrc.463.1666025138835; Mon, 17 Oct 2022 09:45:38 -0700 (PDT)
Received: from ?IPV6:2a01:e34:ec4e:5670:4c67:9df8:3c18:a7ca? ([2a01:e34:ec4e:5670:4c67:9df8:3c18:a7ca]) by smtp.googlemail.com with ESMTPSA id e26-20020a05600c4b9a00b003a5537bb2besm10541169wmp.25.2022.10.17.09.45.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 Oct 2022 09:45:38 -0700 (PDT)
Message-ID: <95b4a491-8132-258a-768a-916bbf710c87@gmail.com>
Date: Mon, 17 Oct 2022 18:45:39 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
Content-Language: en-US
To: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
References: <CAD9ie-uvOK_-JxDjtZrPXGqdHUSYFNdKsaGKp6jNNhZB5bVXuA@mail.gmail.com> <37363932-a747-8d28-0f6e-f3fedfcef7f4@gmail.com> <4e77390f-f5d0-18b1-23d6-8b254c87815f@gmx.de> <1942525e-0ea6-7519-4dd6-c2a9af04415b@gmail.com> <774fe022-9ed8-c044-40ef-cca22c847e34@gmx.de>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <774fe022-9ed8-c044-40ef-cca22c847e34@gmx.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::42b; envelope-from=anders.rundgren.net@gmail.com; helo=mail-wr1-x42b.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=anders.rundgren.net@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1okTFO-00Eb2y-7d 49caab293625b659381a8839ebb78a36
X-Original-To: ietf-http-wg@w3.org
Subject: Re: feedback on draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/95b4a491-8132-258a-768a-916bbf710c87@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40458
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2022-10-17 18:31, Julian Reschke wrote:
> On 17.10.2022 18:27, Anders Rundgren wrote:
>> On 2022-10-17 13:59, Julian Reschke wrote:
>>> On 17.10.2022 12:44, Anders Rundgren wrote:
>>>> +1
>>>>
>>>> Target URI and Method (as well as other data related to the message),
>>>> may equally well be put in the payload.  HTTP header signing is an
>>>> unnecessary complication.
>>>> ...
>>>
>>> Can you elaborate? You might have a media type that allows adding a
>>> *copy* of that information, but that's not the same thing.
>>
>> Hi Julian,
>> It is quite possible that I misunderstand what you write but I don't see
>> a problem with having a copy of targetUri in the payload.
>> An RP may (depending on proxying etc) compare this data with the HTTP
>> header counterpart and fail if there is a mismatch.
>>
>> An additional advantage with this arrangement is that signed messages
>> become serializable and thus can easily be stored in databases, embedded
>> in other objects, etc.
>>
>> Regards,
>> Anders
> 
> Well, that would only work with certain media types. It's not a generic
> solution.

Right, from an HTTP point of view this is of course correct.  However, in many systems, images are also included in the message payload.

That is, it seems rather unlikely that there ever will be a single method or standard for dealing with signed data (not to mention encrypted data), transferred over HTTP.   However, that does absolutely not mean that "draft-ietf-httpbis-message-signatures-13" is useless and should be abandoned :)

Regards,
Anders

> 
> Best regards, Julian
>