IETF Logo Mail Archive

Re: Artart last call review of draft-ietf-httpbis-message-signatures-16

"Backman, Annabelle" <richanna@amazon.com> Tue, 14 March 2023 18:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11312C14CE39 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Mar 2023 11:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.749
X-Spam-Level:
X-Spam-Status: No, score=-7.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZeBESQLRXVI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Mar 2023 11:49:59 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ED7BC151548 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Mar 2023 11:49:58 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pc9gM-00CXWa-8r for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Mar 2023 18:47:34 +0000
Resent-Date: Tue, 14 Mar 2023 18:47:34 +0000
Resent-Message-Id: <E1pc9gM-00CXWa-8r@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <prvs=430a7d5e7=richanna@amazon.com>) id 1pc9gK-00CXVl-0y for ietf-http-wg@listhub.w3.org; Tue, 14 Mar 2023 18:47:32 +0000
Received: from smtp-fw-6002.amazon.com ([52.95.49.90]) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <prvs=430a7d5e7=richanna@amazon.com>) id 1pc9gI-003HV4-IK for ietf-http-wg@w3.org; Tue, 14 Mar 2023 18:47:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1678819650; x=1710355650; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=972R+fPqqA/OSdsoJLVlC3lLAs9o7KZwRSHTiwaDHv8=; b=VNmvFSINbOx7cKp/PSbukx+AiazLX3TjvBR9ru2sgcDYz8bH+InoPq6x QKD1kgStbf5Jzi9eaAD3PJJxcuILxwrxcjfsJW46ezKnNRZLVIrLJDsIa eypp7t1ALLMgGUDUkKQNIQWES9QL+nT0rW53qLI5xZ703308qW5djX0MK 4=;
X-IronPort-AV: E=Sophos;i="5.98,260,1673913600"; d="scan'208,217";a="307157767"
Thread-Topic: Artart last call review of draft-ietf-httpbis-message-signatures-16
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1d-m6i4x-153b24bc.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Mar 2023 18:47:18 +0000
Received: from EX19MTAUWC002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1d-m6i4x-153b24bc.us-east-1.amazon.com (Postfix) with ESMTPS id EDB7AC1C03; Tue, 14 Mar 2023 18:47:17 +0000 (UTC)
Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Tue, 14 Mar 2023 18:46:55 +0000
Received: from EX19D001UWA002.ant.amazon.com (10.13.138.236) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.24; Tue, 14 Mar 2023 18:46:55 +0000
Received: from EX19D001UWA002.ant.amazon.com ([fe80::716f:2fd6:4192:9942]) by EX19D001UWA002.ant.amazon.com ([fe80::716f:2fd6:4192:9942%5]) with mapi id 15.02.1118.024; Tue, 14 Mar 2023 18:46:55 +0000
From: "Backman, Annabelle" <richanna@amazon.com>
To: Harald Alvestrand <harald@alvestrand.no>
CC: Justin Richer <jricher@mit.edu>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Index: AQHZURx+KMY1/AJH30mxymqUD3eUNa7vt+YAgArwk4A=
Date: Tue, 14 Mar 2023 18:46:55 +0000
Message-ID: <F44B4103-BAAC-4801-B95A-74BAC00F96EB@amazon.com>
References: <167814585078.47895.4452057535068050885@ietfa.amsl.com> <269E25AB-0D57-4F5A-BBDD-D04060C84E9E@mit.edu> <fc560173-d90f-672b-78ac-2d76c660e874@alvestrand.no>
In-Reply-To: <fc560173-d90f-672b-78ac-2d76c660e874@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.2)
x-originating-ip: [10.95.130.153]
Content-Type: multipart/alternative; boundary="_000_F44B4103BAAC4801B95A74BAC00F96EBamazoncom_"
MIME-Version: 1.0
Received-SPF: pass client-ip=52.95.49.90; envelope-from=prvs=430a7d5e7=richanna@amazon.com; helo=smtp-fw-6002.amazon.com
X-W3C-Hub-DKIM-Status: validation passed: (address=prvs=430a7d5e7=richanna@amazon.com domain=amazon.com), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=prvs=430a7d5e7=richanna@amazon.com domain=@amazon.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-14.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1pc9gI-003HV4-IK c0e42decc00eded9a805e4b65eaa9362
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Artart last call review of draft-ietf-httpbis-message-signatures-16
Archived-At: <https://www.w3.org/mid/F44B4103-BAAC-4801-B95A-74BAC00F96EB@amazon.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50847
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

As Justin mentioned, AWS uses a proprietary HTTP request signature algorithm called "Signature V4” or “SigV4”, which uses a similar pattern as HTTP Message Signatures. Version 4 has been in use for over a decade, and today SigV4 signatures are required on nearly all authenticated HTTP requests to AWS APIs. While many clients use the implementation that AWS provides as part of our SDKs, some clients opt to write their own implementations. (a simple Google search for “aws sigv4 implementation"<https://www.google.com/search?q=aws+sigv4+implementation> shows several non-AWS implementations on Github, NPM, etc.)

You can find a complete description of SigV4 in the AWS General Reference guide<https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html>.

Note that like HTTP Message Signatures, SigV4 is not a complete security protocol. It’s simply an algorithm for crafting a detached signature over portions of an HTTP request. AWS combines it with other systems (e.g., AWS Identity and Access Management, AWS Security Token Service) to complete the picture. The authors similarly expect HTTP Message Signatures to be plugged into existing security protocols such as OAuth 2.0, where there are already well-defined mechanisms for establishing and managing keys, identifying parties, etc. Extending HTTP Message Signatures to make it more of a full security protocol would thus be duplicative, and significantly limit its utility.

On 7 Mar 2023, at 19:43, Harald Alvestrand <harald@alvestrand.no<mailto:harald@alvestrand.no>> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Thanks for the comments on the review!

One particular point, which I think is the most important:

On 3/7/23 18:39, Justin Richer wrote:

IF it is possible to:
- Describe 2 or more “applications” (in the document’s terminology)
that serve
an useful function in securing some part of the ecosystem against some
attack -
Implement these functions in a way that exercises a fairly
comprehensive subset
of the behaviors mandated in this document - Run the resulting
application in a
real environment for some significant period of time, and observe that the
number of canonicalization errors resulting in validation failure is
insignificant to zero THEN it seems to me reasonable to place this on the
standards track.

Until then, I think this best belongs as an experimental protocol that
people
can implement to gather experience with, not something that the IETF
should
publish as a consensus standards-track protocol.


There are many very real applications from which this draft’s text was
distilled over the last few years. The general approach in this document
has been in use for well over a decade, in production and at scale, in
multiple deployed systems.

Amazon’s SIGv4 is probably the most well-exercised version of this
approach, and it’s still in use today (I can’t speak for Amazon’s plans
but they are sponsoring one of the editors to work on this draft):
https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html <https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html>

The engineers behind this original work at Amazon published their
original I-D back in 2013, known as the Cavage draft in the community.
This has many implementations in different versions on different
systems:
https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-00
<https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-00>

One of the bigger ones out there is the Mastodon ecosystem, which uses
its own version of the Cavage draft:
https://docs.joinmastodon.org/spec/security/#http
<https://docs.joinmastodon.org/spec/security/#http>

As do financial profiles including FAPI, PSD2, and the Berlin Group’s
work. This is to say nothing of other efforts out there that have
invented or re-invented parts of this specification for their own purposes.


Given the number of current users cited - is it possible to get at least
one of those to document their approach and why it works for them, in a
form that we could include at least as an informational reference?

A *lot* of my concerns would be assuaged if we could see a worked
example of an application using this toolkit.

Harald

v2.23.0 | Report a Bug | By Email