Re: CBOR versus HTTP Message Signature
Justin Richer <jricher@mit.edu> Fri, 23 December 2022 13:40 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9CAC14F722 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 23 Dec 2022 05:40:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.05
X-Spam-Level:
X-Spam-Status: No, score=-5.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ir-mEC2HSnUo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 23 Dec 2022 05:40:17 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59E9EC14F6EB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 23 Dec 2022 05:40:16 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1p8iFF-0023f8-If for ietf-http-wg-dist@listhub.w3.org; Fri, 23 Dec 2022 13:37:53 +0000
Resent-Date: Fri, 23 Dec 2022 13:37:53 +0000
Resent-Message-Id: <E1p8iFF-0023f8-If@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1p8iFD-0023eB-Ba for ietf-http-wg@listhub.w3.org; Fri, 23 Dec 2022 13:37:51 +0000
Received: from outgoing-exchange-5.mit.edu ([18.9.28.59]) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1p8iFB-00F49C-P4 for ietf-http-wg@w3.org; Fri, 23 Dec 2022 13:37:51 +0000
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id 2BNDbOoC008972; Fri, 23 Dec 2022 08:37:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1671802657; bh=+7SlTV4mmcSzRsYU2r/DoMNQtGm6wZhKmEA7et6XqEU=; h=From:To:Subject:Date:References:In-Reply-To; b=qUp4LGGrNws/IHR6TiWtPtWPVaOyX57OP6meoCbCSnF+NXiap5jwFu+jJhHOSbnJz KvoIXQq033i4IVKf9o2EevBu+gzmVZDJ3xjGNA5i7Xd/fBnDn3kDGkPB9KZ1cbW9VV JvDLTEAgClUYKHGXunHfhgzbCrgligrgMByd1szOOHFIg+S61NkBhT+G+2G0CrynVk oKxqKMlACySfdxqanywSA5KV4kZeqYKrVgRimVvps/QyIspzWAacSOkKbIK7pMlhBr 42Y4P5Zz9f8BAyGPXG1bX4219QRRKnU0HBxzqm9sUFUcanhjKAusvsaQOS4hOZEp6j J76/IzGvpfUag==
Received: from oc11expo12.exchange.mit.edu (18.9.4.17) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 23 Dec 2022 08:37:04 -0500
Received: from oc11exhyb5.exchange.mit.edu (18.9.1.110) by oc11expo12.exchange.mit.edu (18.9.4.17) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 23 Dec 2022 08:37:34 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.173) by oc11exhyb5.exchange.mit.edu (18.9.1.110) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Fri, 23 Dec 2022 08:37:34 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NrZAzzAN9ZgLHSzs7mPdJHmwHQ2I0exEBRvZEZojbYyZZ9qKgJXh0ohsFDwbamammZ0QIcqaCdaddAu25tTrjoTnvCjDUNcPTIUiQjao1IsAqKXCOQXLBiRURUZ5TU3hpQme8BQPwgb5+xcWxPhxUwJxT8D5qAinK/A21fTrSPyPBuxTbgFJkMxJaVk0GEy82c4bUg4BmEwa08bIkwPQ3l3BDJIm/l4sOygUPYPub3ek/Aox5VYcEht5dvVTWjULmSQean/zZkGR2TEFzfYjS+n9h0n8gmGXJ0Xzid23AurbWzM+yCc8lXOJy2nL/GP/tiHl3Mz19d6F992rblNpAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+7SlTV4mmcSzRsYU2r/DoMNQtGm6wZhKmEA7et6XqEU=; b=jWUzNXwqdIJddzkeg8wjs5BIwYM/oq/iTNUeNLuqbOaV9UulJQcEc/3NX4Jq7MJoKgT9QIKd1+3nXimo2zOgnzut+chAfHVezfHiYTImAnZS8HwoaoJv2rmhoVH/Ruvg/JfgbpJfW0v8VC6/lDM0ZYtGXocJ29gr8Ozy26SvLRMflEmiaxBb0aSMKRpnC/7i4va0Wc10zgebdR/C+nF3qH+867dFOoR9MCAki1+cKPVWGcM0uanYPCSkl9+S184NlTh6aFDUKpfTlQD0FHTmMQ7jJ1MjdECXJ9VYqmTu2SGUpJuSMg73yKtkNrTFzBZlXZEmm0kHi+G9YYcFHgZMiA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by MN2PR01MB6077.prod.exchangelabs.com (2603:10b6:208:18e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.16; Fri, 23 Dec 2022 13:37:32 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::62:d23d:3d8d:88d3]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::62:d23d:3d8d:88d3%5]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022 13:37:32 +0000
From: Justin Richer <jricher@mit.edu>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: CBOR versus HTTP Message Signature
Thread-Index: AQHZE3FhLQmH685owE2q35UtFr+WSa57fuHT
Date: Fri, 23 Dec 2022 13:37:32 +0000
Message-ID: <DM6PR01MB4444A2658342DF85BCFD88B2BDE99@DM6PR01MB4444.prod.exchangelabs.com>
References: <CAD9ie-uvOK_-JxDjtZrPXGqdHUSYFNdKsaGKp6jNNhZB5bVXuA@mail.gmail.com> <9A670797-BEF3-41A5-A73F-3715F1617EF0@amazon.com> <930cc3b5-7d12-16cb-3538-d31545de8f54@gmail.com>
In-Reply-To: <930cc3b5-7d12-16cb-3538-d31545de8f54@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|MN2PR01MB6077:EE_
x-ms-office365-filtering-correlation-id: 81440993-06ca-4b1b-6c0d-08dae4ead7d7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f6kIOaYfnfiSwn97iDpoQKbGx5R8ZOrBbV5tvXV3r7A1Zi7kxWR2IM6x0eGhwRQOnDcf3ovybUbO922f4u0+N5tuzbl7W88dWsMfCse/rt9s3uZIxuOMypVAybJD43Gied70ZY0rG1bV+by9+7L7pC2OzGrEPhokbLjmow6xDDNMJXVMztYU/u/5IU8Pu8lLLOu2EyFqsSrWPd5usMLKpRjs45xOyhLeJJpUyACGRg1OifxZDcTgmGjKP7/b60tVFBQ4cAiHyjJa0JrQhz94Lqqrg/EhvgsbdBQYwdKKktsuhY6LWs6wFJYg2np5NWXh79piBTmXKmTM7x7kzWIbr03hEQHlnV8Avd04OgxK5BdcHI3BpfbI4tifnY2UQbJGd3w0oBqx3MHekBDLzeEj5DrL7Q4iUHpGmK7Euzth8maqfJgMpegP/T1ctNh3HYwyCOO6qEhzsYH6vCaxwqgEM9RmQcf6kcR1ObgIF1IhykV6ui0g8diOZ4xvIJ44ontfF/AF5HuY//JMlhnQmBe2EXG4F35rDttMEuznvxQX5i+g0UdJBqY3u/tcymYiI429D9MipgsdGZzs0JZg9Mh2B4j173y0jnOBhFMrTxm+oiQ7N9x6NF9GOE1bAgFL2cF52TZWBKI9Ozj+CsBb6Q52bL6WrO6CFNGq0lvBgQolnE/YoTQCXgWfnyx/pNcQzbDos+dlrmHhk9osEiB0K8mQMco1zh1ZuKEAHzPHQkNAh0E=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR01MB4444.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(136003)(346002)(39860400002)(376002)(366004)(396003)(451199015)(38070700005)(6506007)(7696005)(53546011)(316002)(966005)(75432002)(478600001)(91956017)(38100700002)(110136005)(8676002)(166002)(66556008)(76116006)(66946007)(86362001)(71200400001)(66476007)(66446008)(64756008)(786003)(122000001)(83380400001)(52536014)(33656002)(8936002)(66574015)(5660300002)(55016003)(15650500001)(2906002)(9686003)(41300700001)(186003)(26005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7owqGE51GmqRZPuMCW5h1teN2riD1r8JcD/1s9SNcCyTFQwXorgcfY0Rpse1M7XUqNfKe82vP/0wyVymqlQseP+T9v8ERrOKeWOSF681Q+AI0Wlmqdr5Tdr6vzp6Txn2XSN6kVvltu3tQ6GGbXgLEM9HPdaGSwK4+5offANM42Ln6GrMWZ2A9wJrRqa97fZ7MTLrVAdS/2MMrq4vUVB1bVUPaLyIihgUtFOjUYBDCz4X4B2iGT3BrCIPKNShQ6wRWtFXz7+o19W/xn7vUeh7lApJhTXnOpeYKYlmirzlh97BFfKKKQB8QMhZaW+eV1mlXLPgHETkJygJEFLisEQJNX2RMRcUXhqDepbbN2+s4qCWBdSuc095JnrHVl15YEbnYyrMkTS2NQ8lQb2gkLf6Qw96eFxuR4RZIfYAa+N6iPVTMI3a0zcom0TKkLpaSJ9UfR6DMjpduk0Xj6Le83maly/2PqWg7IyYDnV+qlWYRxWHlyNEFAkrFSJRK3gomokFS2tuV4nBt9na2U6b9fg53RMQprJKOIpZ/6Mpv3irPJiX6oFZIiqoNIk+uKwkswZFHUAiuL3D5JwebhM6fkPmNrLoDMr+ONOe6tRiYf3bk/NQVnTxZko26mGzIavMtyRh601U0wvr9MCi/c3fumAGiJtdGabNWcRMR+jwvEbZr9pCMzVcsCos+Q0JouvQajp3GdnBXz5Tt29QspZfmO2DvCrxJ0/BRhN86CvuOy9hjs7pj5tFgYZGZJc1IoyRKVv9HcHiLTxbK4ZjWUnPHutCMvvDgA1mFp3+pIXzQUes1O7x8SzBbPD5eTDSc61RMmbJvBDXWH6kwJRyZH0tpk2Jef87RXOvS+RiL1U6KE/7D6uR/Z39TJMTbS1MeM5V2qVQhsPqXLz7PzZlXFIxqv8IQXjtRSY/FzHDsCzhojhTX3+ZqkWdxhz5odQW9H6N0SzMEq6TR9WbRl1Tx4QZyl+lnYVrHs8ZDHm9cIdGzKQDVwrTQVGXw0HPxclA64vgwyMDqAz0PFbpLCRDVM7SfM9B0WeEu4eFuGTDg0Hwj9wzwJlF2hr0DEYgecJIZIJZlJRAiNj15M5+Nj3DzoMb+Q3wtXyyxKAJhyX60QsIlDPShlHQtyt0E8vghEj70BTC0Umd+hyRKg5eMHF0kX6Wl8Ot+PFKBT8C/n7+OWNyApEbMPMaNBiQVc9VFBjkr8E49m0lb2tal+JuiBCcCDj1Gewqfq+I+14iEHwXxRHj6QP1uFzJJKp5DwUUWGZDVHF+Ysht0zeFbn0U1X1ei+FgF6xIABmnx7hnK9H8TYcOTPnqBuLZX8eUmY3UDbnBCsE/xPR0Yn4DLje8R+B+SOgYtl1Zf82VtwTnFXpRyfKComxp3jWsiiuweFYpi4QLbMlPB1Nu6s8MKQy0Ec2TVbQpK9J8tgZH5smUyDNX/Gx9CGrMeckIBLsUZxJNzejfpurvNI7Ul3euG1vYjQ7meXVpNpoTixoSgg3bKKj+GkRXE9GcxzrD+QAG5rj87uMbAjdgGC76Q1KBKD3jDX/73YbRkA6iDbgJ0ArA8o/vQjjbdLuZhhM=
Content-Type: multipart/alternative; boundary="_000_DM6PR01MB4444A2658342DF85BCFD88B2BDE99DM6PR01MB4444prod_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81440993-06ca-4b1b-6c0d-08dae4ead7d7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Dec 2022 13:37:32.0421 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DohWYehooUGLvSez+RCtS7+KHXET1x9HPP+Xr+A5qBIZPiIeysrSRN/Ajzytp+ag
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR01MB6077
X-OriginatorOrg: mit.edu
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1p8iFB-00F49C-P4 d818ba1a932d82d79eb730668e7c9985
X-Original-To: ietf-http-wg@w3.org
Subject: Re: CBOR versus HTTP Message Signature
Archived-At: <https://www.w3.org/mid/DM6PR01MB4444A2658342DF85BCFD88B2BDE99@DM6PR01MB4444.prod.exchangelabs.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40662
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
The HTTP Message Signatures draft is not specific to JSON or any other data encoding format, so I'm not sure what you're trying to say here. Are you saying that cbor/cose would be a replacement for a general purpose HTTP signing mechanism? But: You don't need any JSON processing to implement the specification. That was one of the smaller goals of the spec, the larger aspect being that it should live natively in HTTP space and not be tied to API or data use cases. Yes, there are lots of other ways to sign things, and they've got different properties that make sense in different environments. I suppose if you're doing something entirely in cbor already, something else might make sense, but that isn't the goal here. - Justin ________________________________ From: Anders Rundgren <anders.rundgren.net@gmail.com> Sent: Monday, December 19, 2022 1:12 AM To: HTTP Working Group <ietf-http-wg@w3.org> Subject: CBOR versus HTTP Message Signature Dear List, I hope you don't mind me elaborating a bit on an alternative to the current IETF WG item. A decode ago I converted from XML/XSD to JSON. Now I have converted to CBOR for many reasons including support for a wider set of data items, and last but not least deterministic serialization. If you put all these things together you can obtain similar results as with HTTP Signatures, but in a package that may better match the rest of a typical system. https://github.com/cyberphone/cbor-everywhere#signed-http-requests There are probably not many who are prepared scrapping their huge investments in JSON based systems. JSON also remains the [currently] only viable alternative for browser based applications. Cheers, Anders
- feedback on draft-ietf-httpbis-message-signatures… Dick Hardt
- Re: feedback on draft-ietf-httpbis-message-signat… Anders Rundgren
- Re: feedback on draft-ietf-httpbis-message-signat… Julian Reschke
- Re: feedback on draft-ietf-httpbis-message-signat… Anders Rundgren
- Re: feedback on draft-ietf-httpbis-message-signat… Julian Reschke
- Re: feedback on draft-ietf-httpbis-message-signat… Anders Rundgren
- Re: feedback on draft-ietf-httpbis-message-signat… Backman, Annabelle
- Re: feedback on draft-ietf-httpbis-message-signat… Dick Hardt
- extension for feedback on draft-ietf-httpbis-mess… Henry Story
- CBOR versus HTTP Message Signature Anders Rundgren
- Re: CBOR versus HTTP Message Signature Justin Richer
- Re: CBOR versus HTTP Message Signature Anders Rundgren
- Re: CBOR versus HTTP Message Signature Justin Richer
- Re: CBOR versus HTTP Message Signature Anders Rundgren