Re: HTTP Signing
Roberto Polli <robipolli@gmail.com> Fri, 22 November 2019 14:40 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C13120874 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 06:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxRZ1RyyjDXd for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 06:40:25 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8A1120863 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Nov 2019 06:40:25 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iYA4p-0002S4-Uv for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2019 14:38:27 +0000
Resent-Date: Fri, 22 Nov 2019 14:38:27 +0000
Resent-Message-Id: <E1iYA4p-0002S4-Uv@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <robipolli@gmail.com>) id 1iYA4n-0002RM-AE for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 14:38:25 +0000
Received: from mail-ua1-x92e.google.com ([2607:f8b0:4864:20::92e]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1iYA4m-000604-5U for ietf-http-wg@w3.org; Fri, 22 Nov 2019 14:38:25 +0000
Received: by mail-ua1-x92e.google.com with SMTP id i31so2194389uae.13 for <ietf-http-wg@w3.org>; Fri, 22 Nov 2019 06:38:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=h6TRz4R2+zzjed3DE4aq6jjpgJEHJHUHjj/FCasYyBs=; b=e/Jl6/J7M9Ec8q9doYYU1O8y6v2cpxqn4F/NFZs6PUGL6Cbxn6PElfbXTp7QiJR9Lp DsJQQZ+rdTIxh7M7B9W3hjEdGFELUSgViP351F81RipXqjOhRRwQE3qHDZULo+kBtBqn KFBMJXAPCWiCd2i7allz1djy/FwQAauXMvJ2gZDLlP631kt/VM5lgt2F7FaTaE49ZHVx viHPLvBWeBxROGlJ9T85QFirGkLI9L9cLnM7t/i8s6W59/Wna6Pqma9Z/tAm3kea6wIw XGKc8LRo1/QMO9EEogZZm2fwWIK1KnBNft+csQ4D9dhGI/4CBOpvY7mHTDujvtt2eI42 lP0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=h6TRz4R2+zzjed3DE4aq6jjpgJEHJHUHjj/FCasYyBs=; b=OlWFjSZokxk/ifu+iQpBwWGrWoJsobX9UCMjDcJzqrsFAZARj4C5TAwhvfISEj3pXy R3SXHKq0fZUd+CXy5gLNaVYXnnS+GXgyQe8YArRVWIZpOFBZ/qQt/TfBn5noR0uUWtEm 4AgNAe96pr6Tu4D044OImJ/yiBRdvvdeuIh7fQHthDWttoSxry+ylIvwCIsG5Xfp+tyi r8U5hI+2QoV0U2h9TP0lIUD+ahA70jz4MrcnvTiqTsyTUaRT6Lig/u5NXEfCbeLy4jDu yEF2QUooElndZBpH7Rg9dwTvqaUO+hI43KmzUNRd1NYAoGKVc7pFv9wh4yZLD2c8Xp4F ZcNQ==
X-Gm-Message-State: APjAAAVq/GU4bzZKttoK+azIreCzLVC+sAAxxoUXnmcaPtaNCmbu41/B IcmQHNd0SGowpDhcXuVzB9Y6wbFZQbwBNp2kUBc=
X-Google-Smtp-Source: APXvYqzII+EWlFO1Hy5OLVaOcWnS8IWuHOix2Q1nC2lHy4x8tMH7KP572P7L/SYDvD1T3huUDAeQb/SSi2WzqRkgvRc=
X-Received: by 2002:ab0:3442:: with SMTP id a2mr5200613uaq.85.1574433502970; Fri, 22 Nov 2019 06:38:22 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com> <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com> <3827BF1B-C7D7-45F5-833A-07CA72B64A12@amazon.com> <CAP9qbHU8wxrobYsV1sUsF9vdRAdetQ3Z8fcY-Y=sNdkLhHkYLw@mail.gmail.com> <71630A99-57CA-4AD0-A55B-1A4FD50120FF@amazon.com>
In-Reply-To: <71630A99-57CA-4AD0-A55B-1A4FD50120FF@amazon.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Fri, 22 Nov 2019 15:38:11 +0100
Message-ID: <CAP9qbHVZQriHKptCcfDtya=S4N6rNnZvP83Jfnyp16ZJbsx7AQ@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: Rob Sayre <sayrer@gmail.com>, Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::92e; envelope-from=robipolli@gmail.com; helo=mail-ua1-x92e.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iYA4m-000604-5U 8c5ea05a8911788bd156cfe89204904b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Signing
Archived-At: <https://www.w3.org/mid/CAP9qbHVZQriHKptCcfDtya=S4N6rNnZvP83Jfnyp16ZJbsx7AQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37178
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Il giorno ven 22 nov 2019 alle ore 14:56 Richard Backman, Annabelle <richanna@amazon.com> ha scritto: > > > Agree, though AWS4 serialization could avoid specifying payload serialization and delegate it to Digest... > I'm looking forward to discussing how we should approach this in the working group. > I think there's work to be done on message body signing, particularly for streaming. > Neither stock SigV4 nor cavage (IIUC) handles that particularly well. During last httpwg there was a discussion about sending multiple trailers. That could be of some interest there: WDYT? > > My experience with pre-11 draft-cavage resulted in insecure implementations due to under-specification about which fields to sign. > From what I could tell, even on the thread you linked there was disagreement > over whether Date and Expires should be included. > __ Date is tricky because signature creation time seems obviously important > but the signer may not have access to the value of that header. Agree! > SigV4 and cavage work around this by providing alternate ways > of specifying the creation time (X-Amz-Date, the "created" parameter). Yes, I proposed to use `created` and `expires` to avoid that the signature had to rely such headers. So while I thought that those information should be provided by the spec, I advocated not being prescriptive about the `Date` header. > My inclination is that the core singing spec should be > as non-prescriptive as possible, but it could offer guidance to profilers. If you mean that the specification should contain all the required informations without prescribing the headers to be signed then it's ok :) My 2ยข, R.
- HTTP Signing Rob Sayre
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Stephane Bortzmeyer
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Rob Sayre
- Re: HTTP Signing Jeffrey Yasskin