IETF Logo Mail Archive

Re: Call for Adoption: draft-richanna-http-message-signatures

Henry Story <henry.story@bblfish.net> Mon, 20 January 2020 22:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F56120018 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jan 2020 14:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UL1AK4VZPtMD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jan 2020 14:05:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048A3120045 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Jan 2020 14:05:09 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1itf7s-00071Z-Mv for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Jan 2020 22:02:28 +0000
Resent-Date: Mon, 20 Jan 2020 22:02:28 +0000
Resent-Message-Id: <E1itf7s-00071Z-Mv@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <henry.story@bblfish.net>) id 1itf7r-00070c-7Y for ietf-http-wg@listhub.w3.org; Mon, 20 Jan 2020 22:02:27 +0000
Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <henry.story@bblfish.net>) id 1itf7n-0004n7-AO for ietf-http-wg@w3.org; Mon, 20 Jan 2020 22:02:27 +0000
Received: by mail-ed1-x52b.google.com with SMTP id bx28so943241edb.11 for <ietf-http-wg@w3.org>; Mon, 20 Jan 2020 14:02:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=syWB4ErJr/zAYHsXVDlUeG0LQAyx/7wAe8uwv4xMM2E=; b=WenW7isuB+rVJH+JngMKnCWKTA843AFzAxbU/zITKf/+cGYURCwVzHBrOdUaDoHFg7 kK52VRX51Z5uTSCCYZrNMHfM38t1rps0+Wc7Tby+eAyX9Db6GEX//24/P/d1KhYcRWxP v/fMwuFiHz6DjuyRizPJcULTF/AT75oHWeoEP7vtJ0JdaAsEG5MFhPEcb3b2LMesGmgk noLZR+0NKDc7PBHEzhjT0fPC1WssH+4jDtiEX5P6v5pkEA+voPluhVblc5KlbzWBNT9Z PrnxuuljneA7OK6XeN4OLi6an7ja0zVM9Vbah3T3uNqq+lz4HR8V1szf2/dIqmErJfrC qYag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=syWB4ErJr/zAYHsXVDlUeG0LQAyx/7wAe8uwv4xMM2E=; b=D3Xau8bxsnEoi+/vy82HmZ+k1u6fg+5sYUzoAm4Z9ecxdAW5wt4iFwc+qo+fLwozkL BDLfTrUMoa+N18wkk/JpckfVzLMBFaJnUSol71PNl4eMyGkqBsOAne2voiY8f2EfUSc1 qQI2DQf4DERiDVV372nhhVtqmr1SVeuufQjOnuBHNgPTZ1iDy0VZOfqMtnoWPzK28yg2 wR9Yk6KGJSrDVpjiw+NICi0utFzYtMv4/bn91KYbIonZgSMR8BGtb9/jetX+37H0PRI1 6ZO0OYZvHMDmHGtaasTUOs8gYW8Hq+kJHWWC4wz/KW6TvLEII4j2DETW+5BuWQKV6ZMu J0KQ==
X-Gm-Message-State: APjAAAVz87pIdcgcLKEohs2X1oPxMKn4zEe4Xp39xkpv+6kTxVLCa4Vr n7lDtnOmdSYIa1kPRdszY4EqZA==
X-Google-Smtp-Source: APXvYqwbS6+hpukePWUCTWSc9M08d9jqfR+MJLY6hw1XAc848xvFq9VTmxbKmtDxDjZcTtwVY4LgGg==
X-Received: by 2002:a17:906:16d1:: with SMTP id t17mr1485366ejd.41.1579557741306; Mon, 20 Jan 2020 14:02:21 -0800 (PST)
Received: from ?IPv6:2a02:810d:140:c5a:a94c:909f:8ea2:850a? ([2a02:810d:140:c5a:a94c:909f:8ea2:850a]) by smtp.gmail.com with ESMTPSA id a12sm1092166eje.70.2020.01.20.14.02.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Jan 2020 14:02:20 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <76565D7E-C7F5-4D5D-BE3A-6E686E096B14@mnot.net>
Date: Mon, 20 Jan 2020 23:02:18 +0100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EAC1AEFA-D404-4EE1-91AC-03D5F5DA7B99@bblfish.net>
References: <76565D7E-C7F5-4D5D-BE3A-6E686E096B14@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Received-SPF: none client-ip=2a00:1450:4864:20::52b; envelope-from=henry.story@bblfish.net; helo=mail-ed1-x52b.google.com
X-W3C-Hub-Spam-Status: No, score=-6.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1itf7n-0004n7-AO c0f7d006122d979ce76394575de6f1c0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-richanna-http-message-signatures
Archived-At: <https://www.w3.org/mid/EAC1AEFA-D404-4EE1-91AC-03D5F5DA7B99@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37254
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Dear editors,

> On 9 Jan 2020, at 05:33, Mark Nottingham <mnot@mnot.net> wrote:
> 
> To that end, this is a Call for Adoption of draft-richanna-http-message-signatures-00. Since there hasn't been extensive discussion yet, we're looking for more confirmation than just absence of objection; we'd like folks to read the document and state explicitly whether they support it as a starting point for a work item.

I support the call for adoption.

I have been active in the decentralised authentication space for
over 10 years. I came to this around 2008 by noticing that one could retrofit TLS Client certificates with a decentralised identity system
initially called foaf+ssl [-1] and later called WebID-TLS [0], to help
build secure decentralized social networks. 

It always was clear that TLS client certificates were not perfect
but the hope was that the TLS community would over time be able 
to improve the client certificate authentication. 

https://www.w3.org/2005/Incubator/webid/spec/tls/

These communities had other priorities. 

Furthermore the problem with client TLS certificates are numerous:
 * they don’t fit well with HTTP/2.0 and break the layering
 * the certificates are in ASN.1, an old pre-web format
 * for the uses of decentralised hyper-apps that need to
 fetch data from many different servers, this posed the risk
 of users being overwhelmed with certificate requests
 (Though this could have been solved by allowing users to
  set policies)
 * …

5 years ago with the JS-Crypto API having gained traction
and having become aware of draft-cavage-http-signatures-05
I implemented it in the prototype Solid server [1]
and wrote a client library that could save the keys
to local storage and authenticate by passing a WebID URL in
the keyId [2] field. The logic is very similar to WebID-TLS 
and just as simple but it fits much better the HTTP-2.0
architecture.

I wrote up a first sketch of a draft of such an authentication
protocol in September 2019, 

https://github.com/solid/authentication-panel/blob/master/HttpSignature.md

Because the client UI is not integrated into the browsers as with TLS,
a lot of the functionality will need to developed as libraries. One 
thing that will be needed is what I initially called a LauncherApp but
that can be thought of as a KeyChain, that could control the credentials 
and keys for all the users apps [3].

I have been less active in the past 3 years programming as I 
somehow ended up doing a PhD on all of this with the aim of 
developing a security logic to ground this.

If you are interested you can see my second year report here
http://co-operating.systems/2019/04/01/PhD_second_year_report.pdf

In summary my early experience with HTTP-Signature was very good.
It is simple and flexible and seems to be a good candidate for a
decentralised authentication framework.

Henry

If I had a suggestion it would be to consider allowing the keyId
field to be a URI, either relative (one could think of it being that
now) or absolute.


[-1] https://bblfish.net/tmp/2009/05/spot2009_submission_15.pdf
[0] https://www.w3.org/2005/Incubator/webid/spec/tls/
[1] https://github.com/read-write-web/rww-play/blob/dev/app/rww/auth/HttpAuthentication.scala
[2] https://github.com/read-write-web/rww-scala-js/blob/akka.js/src/main/scala/rww/store/KeyStore.scala
[3] https://github.com/solid/authorization-and-access-control-panel/blob/master/Proposals/LauncherApp.md

v2.23.0 | Report a Bug | By Email