Re: HTTP Signing
Rob Sayre <sayrer@gmail.com> Fri, 22 November 2019 21:57 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 614F212013F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 13:57:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYnI13kb1at9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 13:57:56 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B64120100 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Nov 2019 13:57:56 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iYGuE-0004YK-JQ for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2019 21:55:58 +0000
Resent-Date: Fri, 22 Nov 2019 21:55:58 +0000
Resent-Message-Id: <E1iYGuE-0004YK-JQ@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iYGuC-0004XX-EC for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 21:55:56 +0000
Received: from mail-io1-xd33.google.com ([2607:f8b0:4864:20::d33]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <sayrer@gmail.com>) id 1iYGuB-0000Zp-54 for ietf-http-wg@w3.org; Fri, 22 Nov 2019 21:55:56 +0000
Received: by mail-io1-xd33.google.com with SMTP id p12so2431619iog.10 for <ietf-http-wg@w3.org>; Fri, 22 Nov 2019 13:55:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KXHr04nq9WTO03eO35g6rj8MHC5LE4cyWZpiBzeT9zk=; b=qz4D2Cp45knoJZotnTae5FENyfZErBETONJcVbD0a28BoESbGfKSBnie0XqaJBDOWJ +aPvtA67gVwTa4cA/j67CcA9cvLphjNWizUvD8ktgm+xIfyEHX82+Cy+Od7Y/8+LfVTA beMzhlTDVBqV525nkyYQKBXEquVfASTCQPVHaRW/ET62Z/OCzJbXGw7xdxOfbx1R/HqB Xrhj8KDmpmuBAhFqx2fhUO2F1Hqag8pGY41SCvT8US7TQ+CecyjHcSzmBqD14qlU23i6 UYnQIT5to110RcCsMVkLUTPw8ikzd8uEGcsDR27OPtNVDHw3f2CUdhqzTRbRaefaplCU B4eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KXHr04nq9WTO03eO35g6rj8MHC5LE4cyWZpiBzeT9zk=; b=ninqNicaKu5/OdvfajTJWi/yyw3OWKhQiJHz5eBhQbcW4EG7fQVEUUpjCJVE/VInfH LmVqcs+7qfZ9CKO4bpxztBh7Ek7hxZ/zucUrTxDNtgC+P9sSzjS73Kwfc3sV/Yn0ExkW 497uzIzvrxkOMyBKmrJwRrdGH8YISiWyLCOvxeJHJ9DNhKrqi0BGNXe0ghXmU8vahzL3 SisvbUMlrKJE/f1JHOFAy2k6dK2KDLHYyJpUBwbE5TK0BG1GwmboruZJclFruXCADbWD gD4WBATaX/C85KlJOc44w+IIivPQV7q05rRfHlpXZzejKMt8bWMgHSCkbJbcdyymR7eo zyDA==
X-Gm-Message-State: APjAAAUWk/XyvFUL7cm9l/88bgi2BkjfDxt9JvKuXGpASUCroQCpiKNC kdU/VpP6+L8ynN9X5dScafRH0AWicutxvxvPq0SfS6Aly/Y=
X-Google-Smtp-Source: APXvYqz2u+5gJtgNXAyEB5/Mv6Kbglg+JBddjn6vvukqm4CU9j/lki9kgE0xhDBi/ojin+Ws7jwiSkgy2HMzEvQ3fL8=
X-Received: by 2002:a05:6602:22c3:: with SMTP id e3mr15324432ioe.73.1574459753557; Fri, 22 Nov 2019 13:55:53 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com> <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
In-Reply-To: <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 22 Nov 2019 13:55:39 -0800
Message-ID: <CAChr6SyyX895_WNVDGwz+jtGL-n4ksxF-uqzZqzxs1f4jAAB1g@mail.gmail.com>
To: Roberto Polli <robipolli@gmail.com>
Cc: Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000052f9570597f67a5f"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d33; envelope-from=sayrer@gmail.com; helo=mail-io1-xd33.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iYGuB-0000Zp-54 10d8e7b6108131d7bf8365600c6576fb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Signing
Archived-At: <https://www.w3.org/mid/CAChr6SyyX895_WNVDGwz+jtGL-n4ksxF-uqzZqzxs1f4jAAB1g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37181
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, Nov 22, 2019 at 12:48 AM Roberto Polli <robipolli@gmail.com> wrote: > Hi Rob & co, > > Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com> > ha scritto: > > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on > YouTube[1], and it seems like it's going to end up in this WG. > Interesting thread: the video is at > https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000 > > > I'd like to suggest adopting something very similar to AWSv4. > iiuc the approach of draft-cavage and signed-exchange is very similar > and the signed-exchange workgroup made a lot of progresses. > AWSv4 seems to me quite limited and IMHO if you expand it you'll > eventually end with > draft-cavage or http-signatures. > It is quite limited, and imho that's a good thing. The idea Annabelle has put forth regarding a core signing specification seems like a good idea. In my mind, that would hopefully build in something similar to AWSv4, while also allowing others to build more complex and/or flexible features on top of it. Unrelatedly: one use case for these features are media uploads. It's pretty common to break them up into several requests so they can be resumed and retried at some level of granularity. AWS has some APIs that do this, but their chunk sizes are quite large. Lots of mobile apps end up building similar features with much smaller chunk sizes. For these use cases, signing the payload in a trailer isn't so important, since the chunks are pretty small anyway. thanks, Rob
- HTTP Signing Rob Sayre
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Stephane Bortzmeyer
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Rob Sayre
- Re: HTTP Signing Jeffrey Yasskin