IETF Logo Mail Archive

Re: Signing HTTP messages was: Client as Server: auth use case

Henry Story <henry.story@bblfish.net> Thu, 11 February 2021 15:29 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A3F3A16A3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Feb 2021 07:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAnv16AzuSQT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Feb 2021 07:29:36 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86FD3A169F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 11 Feb 2021 07:29:36 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lADsJ-0002Lm-HR for ietf-http-wg-dist@listhub.w3.org; Thu, 11 Feb 2021 15:27:23 +0000
Resent-Date: Thu, 11 Feb 2021 15:27:23 +0000
Resent-Message-Id: <E1lADsJ-0002Lm-HR@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <henry.story@bblfish.net>) id 1lADsH-0002L1-0L for ietf-http-wg@listhub.w3.org; Thu, 11 Feb 2021 15:27:21 +0000
Received: from mail-wm1-x32d.google.com ([2a00:1450:4864:20::32d]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <henry.story@bblfish.net>) id 1lADsD-0003Ij-Jn for ietf-http-wg@w3.org; Thu, 11 Feb 2021 15:27:19 +0000
Received: by mail-wm1-x32d.google.com with SMTP id w4so5915643wmi.4 for <ietf-http-wg@w3.org>; Thu, 11 Feb 2021 07:27:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Wp5sF8yVptoJMPpD7EsIoQkglXJasFRlCbdXzZ95G2k=; b=D4z3bUOMJGfZqTgcz5ZY8gV5+YpdPlKBLg5RYGqW1BBCis8v5czCkziGYvfFSCzvzh 930Sib22lScE3wltPxgOjw4AgUfaxuLFYSLxMK00l0NCL4mN02d/t+e8mS0RHpKGz8zY vLpO4Vjxt+BhD25q2ldzfq++blfSOJS0tdaOL/z2Oy0o79jByGepKvGeU+Uw+FdCEAzw 9qPfrUx6i1TFZjTmeAj+8qQNVexyrp8yp7qf4j9KcjDD5PMJQKp7HdoAAoRS7Fnbgtkc w3KEXxgg8YagscA4rxSS5uRVMqC2qN9VbxNEycrycG95TCNJ24v/WteR3XlFFaDabsMc zeZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Wp5sF8yVptoJMPpD7EsIoQkglXJasFRlCbdXzZ95G2k=; b=qkbfsbNe8/iuNCHW+cxOq4Asx6XD77PZJnubhjl8Ha7c4NRFecCg+cuNygyVySXHkX ZUIGnj0mE3TOWZO2zP2GK+va+NBCwWcc4VhaI7H3icuL6UmXFlTsQUjJTDrmPFrYyA+j M9hF63bWBcBiCc5ca60prOFFu+ctOlZSzJvSgMSKjVs6uIQdSuAZlL+qFDVfVnZL/rP0 HryZCIY1wc1oXej8HJkckzz1wspG99v6ko4rcXQwyyPBUdH++QuKXPXcXkRFnHUC1bwy GJx4QRSStVPfABViROGgSwiQD923i+yKlXUrzLKM6BM+2UfmcAFzTWmkMHI78f1dKVcM 3Snw==
X-Gm-Message-State: AOAM533dkTPmz00uEMOw66ct0RX3LowQUAiLwTYVZtD8p/+4+9eEU16N 3FpICLGHa/j425pQ4LZkX3e3YUKcgo4QNQ==
X-Google-Smtp-Source: ABdhPJw2l5UBabKmC8ceN1sxGGvIsWMVF9bIz6GMaJDvf53WVgX+j9E3jSSbI1B7hoHxgOcuKQY5og==
X-Received: by 2002:a05:600c:3589:: with SMTP id p9mr5760870wmq.18.1613057225666; Thu, 11 Feb 2021 07:27:05 -0800 (PST)
Received: from ?IPv6:2003:cf:1706:f200:51e3:cb59:7ed7:415f? (p200300cf1706f20051e3cb597ed7415f.dip0.t-ipconnect.de. [2003:cf:1706:f200:51e3:cb59:7ed7:415f]) by smtp.gmail.com with ESMTPSA id z63sm10958761wme.8.2021.02.11.07.27.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Feb 2021 07:27:04 -0800 (PST)
From: Henry Story <henry.story@bblfish.net>
Message-Id: <FC58F3D6-E56A-4813-AA95-1016A670B4F2@bblfish.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_13DD3BEA-9319-4265-AD2B-643E367CDE52"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Thu, 11 Feb 2021 16:27:01 +0100
In-Reply-To: <346DB72B-B208-42EB-A163-AB6FF48B92BC@bblfish.net>
Cc: Cory Benfield <cory@lukasa.co.uk>
To: HTTP Working Group <ietf-http-wg@w3.org>
References: <59C947BD-9BB7-4C4A-A175-1625F640EBCA@bblfish.net> <CAH_hAJH14SLkJ9K-fMt3ke24OELciUtA9dxMqN1KfgqHHpPBgw@mail.gmail.com> <346DB72B-B208-42EB-A163-AB6FF48B92BC@bblfish.net>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Received-SPF: none client-ip=2a00:1450:4864:20::32d; envelope-from=henry.story@bblfish.net; helo=mail-wm1-x32d.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=henry.story@bblfish.net domain=bblfish-net.20150623.gappssmtp.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1lADsD-0003Ij-Jn 4a21a32be7397b7db21d6db08c253875
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signing HTTP messages was: Client as Server: auth use case
Archived-At: <https://www.w3.org/mid/FC58F3D6-E56A-4813-AA95-1016A670B4F2@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38586
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Here is an extra use case of allowing one to specify URI’s in
the keyId field of the Signing HTTP Messages spec proposal.

Let us say we have a key URN format which allows one to pass the key as a URN
directly, a bit like one can have data urls. This would allow one to send an
HTTP request using the HTTP Signatures spec  like this:

GET /protected/resource HTTP/2.0
Credential: >/creds/age<
Signature-Input: sig1=(); keyId="<key:rsa:dsf234....>"; created=1402170695
Signature: sig1=:cxieW5ZK...
And the server would then using P2P extension for HTTP/2 discussed below,
be able to take on the role of a client and on the same connection ask
for the relative URL

GET /creds/age HTTP/2.0

The server could on receipt of this credential (or proof) be able to save
it in its cache under <key:rsa:dsf234..../creds/age> so that when
the client the next time comes with that keyId the server could
immediately fetch the credential in its store, after verifying the signature,
without needing to make a request to the server. After all the server knows
nothing about the client other than it's public key and so it may as well name it as that.

I would not be surprised if there is already a key URN specified somewhere,
but it should be quite easy to do.


> On 5 Feb 2021, at 14:32, Henry Story <henry.story@bblfish.net> wrote:
> 
> Hi,
> 
>  I wrote up how Signing-HTTP messages can work with our Solid use case
> and referred to Cory Benfield's Spec as a very elegant (potential) way the server
> could download a key or a Credential when authenticating.
> 
> https://github.com/bblfish/authentication-panel/blob/HttpSig/HttpSignature.md
> 
> This is leading me to think that we could do with a slight alteration to the
> Signing-HTTP message spec. Our use case I think justifies it.
> 
> Namely: I think it would help if the keyId field of the Signature-Input
> header could allow not just opaque tokens to be passed as values but also
> relative or absolute URLs. This could be made clear by specifying that
> when enclosed with `<` and `>` a URL is intended. In the spec I give
> two examples, one of which is
> 
> Signature-Input: sig1=(); keyId="</keys/test-key-a>"; created=1402170695
> Signature: sig1=:…
> 
> the other is
> 
> Signature-Input: sig1=(); keyId=”<https://alice.freedombox/keys/test-key-a>"; created=1402170695
> Signature: sig1=:…
> 
> The advantages of http urls is that they allow the client to create a key using POST or PUT,
> edit them with PUT or PATCH and DELETE them, solving the key revocation problem.
> 
> Thinking ahead with Cory Benfield’s P2P protocol draft in mind, made consider that we should
> keep open the option for relative URLs to be enclosed in `>` and `<` which would be relative URLs
> dereferenceable on the client, when it takes on the role of server on the same
> connection using something filling in the role of your P2P extension.
> 
> Signature-Input: sig1=(); keyId=”>/keychain/test-key-a<"; created=1402170695
> Signature: sig1 …
> 
> This may not be so useful for keys, but more for passing the certificate once the key
> has been verified. (The server could then tie the URL to the key, and perhaps find the
> key had been sent in a previous request).
> 
> I would also be very interested on feedback on my HTTP Signature for Solid
> proposal of course :-)
> 
> Henry
> 
>> On 27 Jan 2021, at 11:04, Cory Benfield <cory@lukasa.co.uk> wrote:
>> 
>> This is an idea that comes up a lot. In fact, it has come up so much
>> that I wrote a draft that would attempt to encode this idea in HTTP/2
>> back in 2015. https://tools.ietf.org/html/draft-benfield-http2-p2p-02
>> 
>> The issue I bumped into then is the same one that faces you now.
>> Specifying this behaviour is not terribly hard: demonstrating that
>> it's sufficiently useful to implement is. It is likely to be
>> substantially more useful to attempt to actually deploy such an
>> extension in a controlled environment and demonstrate its utility in
>> that space, then return with a specification.
>> 
>> Cory
>> 
>> On Tue, 26 Jan 2021 at 14:23, Henry Story <henry.story@bblfish.net> wrote:
>>> 
>>> Hi,
>>> 
>>> I was wondering if the newer versions of HTTP (perhaps Quic)
>>> can allow the server to make a request back to the client as
>>> an HTTP request. This could be useful for exchanging keys or
>>> certificates in a RESTful way.
>>> 
>>> As an example take the "Signing HTTP Messages” spec, which has a
>>> keyId field. The value placed there could be a full URL (did, https, …)
>>> pointing to a key on the web, or it could be a key stored on
>>> the client with a relative URL path. This would allow the server
>>> for that connection make a simple HTTP GET request on that
>>> relative URL to the client.  (These relative urls function here
>>> as indexicals as ”you” and ”I” in a conversation between two
>>> people).
>>> 
>>> Going further the client might want to add a ”Credential: …” header
>>> with as value a URL. This could be a full URL pointing to a credential
>>> on the Web, or perhaps a relative URL to be resolved by the server
>>> by asking the client.
>>> 
>>> The value is that in both cases if the server has cached the key
>>> or credential it would not need to be fetch it again. Another one
>>> is that key material and credentials would not need to be fetched
>>> on the web - reducing dependency on other services, requiring credentials
>>> to be published, …
>>> 
>>> One would need to make a distinction between relative URLs
>>> to be resolved on $you the server or $me the client.
>>> 
>>> There may be many other use cases for allowing the server
>>> to make requests to the client on the same connection.
>>> 
>>> Thanks in advance,
>>> 
>>> 
>>> [1] https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-01
>>> 
>>> Henry Story
>>> 
>>> https://co-operating.systems
>>> WhatsApp, Signal, Tel: +33 6 38 32 69 84‬
>>> Twitter: @bblfish
>>> 
> 
> Henry Story
> 
> https://co-operating.systems
> WhatsApp, Signal, Tel: +33 6 38 32 69 84‬
> Twitter: @bblfish
> 

Henry Story

https://co-operating.systems
WhatsApp, Signal, Tel: +33 6 38 32 69 84‬
Twitter: @bblfish

v2.23.0 | Report a Bug | By Email