Re: feedback on draft-ietf-httpbis-message-signatures-13

Julian Reschke <julian.reschke@gmx.de> Mon, 17 October 2022 16:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1043C1524BE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 17 Oct 2022 09:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.964
X-Spam-Level:
X-Spam-Status: No, score=-4.964 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8D5CKKCQ2SeM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 17 Oct 2022 09:34:35 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA288C14CE30 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 17 Oct 2022 09:34:35 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1okT1m-00FHD7-12 for ietf-http-wg-dist@listhub.w3.org; Mon, 17 Oct 2022 16:31:46 +0000
Resent-Date: Mon, 17 Oct 2022 16:31:46 +0000
Resent-Message-Id: <E1okT1m-00FHD7-12@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1okT1l-00FHC9-5U for ietf-http-wg@listhub.w3.org; Mon, 17 Oct 2022 16:31:45 +0000
Received: from mout.gmx.net ([212.227.17.21]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1okT1j-00EaX6-Gg for ietf-http-wg@w3.org; Mon, 17 Oct 2022 16:31:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1666024291; bh=18GQkRmYnqRU/zZu28H5f1KcdkoC76mwL04/eOPdQkw=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=clVzqt/iEMqiK+hEqHQksa08LUm4HDSFUX4W/4IcAgFVwNDVUN6ypOViVOZk8JcbB qcLBbjIAln6iaEFlnYPAHPEvRxo4WZRzVTjB/W7JFgPRLanmXcbJDhDMnEkQ5gL9jQ Per+emAaTXwPE/91trCsNt9qFUcLIsoU4eiwYXjA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.20] ([217.251.132.30]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MZCbB-1ofuZ0189h-00V9GL; Mon, 17 Oct 2022 18:31:31 +0200
Message-ID: <774fe022-9ed8-c044-40ef-cca22c847e34@gmx.de>
Date: Mon, 17 Oct 2022 18:31:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
Content-Language: en-US
To: Anders Rundgren <anders.rundgren.net@gmail.com>, ietf-http-wg@w3.org
References: <CAD9ie-uvOK_-JxDjtZrPXGqdHUSYFNdKsaGKp6jNNhZB5bVXuA@mail.gmail.com> <37363932-a747-8d28-0f6e-f3fedfcef7f4@gmail.com> <4e77390f-f5d0-18b1-23d6-8b254c87815f@gmx.de> <1942525e-0ea6-7519-4dd6-c2a9af04415b@gmail.com>
From: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <1942525e-0ea6-7519-4dd6-c2a9af04415b@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:B06qRi4jZJuXJEbNBxQhRv7Q9G6sgLwvsSQ6PAg/ef+W6oiLjW0 XMJF/fGiqXmkhUcKrdCtkkTkMy65y9ay2aShJ+HOgo876zA9FRycHFtUd9tNGZoOeinU09i mqn+1S7dqj9F3+jsjs6xkCp4Sgh60/Go/astR5kE6wGucdO6asbh9MmsN+WSKd7btxP0x58 /S7QMk/SUrOeHtHJQCspQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:wqb5Nkg7TWU=:7XU45BXliiLss/WFAAEgDl SHmfHBKsewDBnxfQWj/k3iSafc1qoS0yvvHA1rn4zSpofTzBuwpHaejVisxBAnVyXiFBrQCqJ ovsgQN6u3CCYk1E4JoZRRoV+eiTqP63IyWAPEs8bOycYFRimJ0AyJcEFaUBt+512qYInHjL7e AjhvdEOEBkksneOzoiIrsXXkXQthU47CYKVRFBxj/f+x25pnF/hai7OXc+t4fNgiqYnpHpHAP st3BMi66dY5S0bBp5ZBTxBNyxiVd9c4xtwbvYOMHtrbktTIABXZU0W9+qYjf/uz09Z2MYoo8Z DG3szrV8TcgQgYDEsq4cevqlgxhS4xLzEFcrq72gAUIBSrMgxVGQSEroYultHegybmEOXPpoX lIFSWBwos1OVrptM7/RF9nINjEeKQvth30TX4T9jC5UCfIhI6YfyyYzEPMQ/n6hJjXww3DUJU FhpeOHL1NwSTrnZXl5A51BKKRCgp59KU214sS29VCsb1Dn3nAwfyXWsI2YND4FJmyW2QWiFPo DEGp2QsQyJdLaocNxqQKCquhLOkDMsuNqAs2e177yL6LK80Ivmo4cw/Jv7yJ1CInYuWdlp5D0 6ME90OEla6aJ5ik3MSSvCPZ42J4Rza4otbsCTGxDwcedck50eQwzMa+HfI8xRWa8A5Ne3y2zH MS6XHcMQGeVzAn6gV+XbvT4oI5xv9VvE8kVdw+Y/z/HygywUbp7KO3rHoAPLwIam0GdoAGiP1 f3luL27/0L2XVYuHtQNrTohujvyi3sSkuZGnxs9C5zbgnozrhdBKRf0nLLtr5ysnLDIk4CWnj yzVfnp9AUmQDPRZip7xFvTjiZCwvxuHSPjPrmzV1H0/bLZwc0zlSyphFjgZBECNjm+gvCxXYC 1Ll130MzHozG4yGBrHF8Pm2bYE94zNWdusty89objX/GZ3KhrCzN44QfIwy47M7mspKrXYX91 bzRjRvxgeJ697bmGwilFknnNwmaUXcURs0bPnWwQIHo3zYggwLx9wlPAdDMOSmMpJTRqUfsHW xM/TSk5AeBC3qj3baik28uMIYiXTJHlAoZmogm4DSWuGwm3zCKtX4Ak7aU2bix+SxgrCbgRsB 7tCM9l48B3uPPGb2IQtgwixmOI8uGD53GPg0mQNT/C/nBO4Yfyrid0+krF+CL4u2JYEwSPghk Ls02lc50E0Knsto3wAFd9i779U115WnQFhm2aT/e0R3qQJNIZSHW7t2VR9EVgl8+XHcIrE4f3 ku15DCU8i0wbCLYv8x5z7HbAnd/Rr4FptmHDki0VjjOzv4prWWqA8yh2dT/KPk6e4CWdijTSf n0IvUkNJ9CX20b5L1JoEXdkZLWZ0Cuwnw8PXVnOGimXe9ZbJb2hIE8vi24gp649XY7WWpmCPm UTrnKtYzi0B0gVzOzUwiaseHmjEY7028GR0eOv9gflPpC4WB6MJONBCTiqdDxnIMHvvAgSRAN JwH6xzODzHgHcLDcoasVChOlnirrWs5xx30CPB16A/T8SI64w0BPy3LDRQLcEip2zuk46m+rG Ait9BGwedsY5/icPsbr5TMsRvQSJrEuCBBCqV9U6VCczj
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.net), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1okT1j-00EaX6-Gg 77a656e746f07a795c0bc8e918330817
X-Original-To: ietf-http-wg@w3.org
Subject: Re: feedback on draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/774fe022-9ed8-c044-40ef-cca22c847e34@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40457
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 17.10.2022 18:27, Anders Rundgren wrote:
> On 2022-10-17 13:59, Julian Reschke wrote:
>> On 17.10.2022 12:44, Anders Rundgren wrote:
>>> +1
>>>
>>> Target URI and Method (as well as other data related to the message),
>>> may equally well be put in the payload.  HTTP header signing is an
>>> unnecessary complication.
>>> ...
>>
>> Can you elaborate? You might have a media type that allows adding a
>> *copy* of that information, but that's not the same thing.
>
> Hi Julian,
> It is quite possible that I misunderstand what you write but I don't see
> a problem with having a copy of targetUri in the payload.
> An RP may (depending on proxying etc) compare this data with the HTTP
> header counterpart and fail if there is a mismatch.
>
> An additional advantage with this arrangement is that signed messages
> become serializable and thus can easily be stored in databases, embedded
> in other objects, etc.
>
> Regards,
> Anders

Well, that would only work with certain media types. It's not a generic
solution.

Best regards, Julian