Re: HTTP Signing
Roberto Polli <robipolli@gmail.com> Fri, 22 November 2019 08:51 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283761202A0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 00:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd3h9RHv9u21 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 00:51:32 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B027712018B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Nov 2019 00:51:32 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iY4cd-0001LC-4F for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2019 08:48:59 +0000
Resent-Date: Fri, 22 Nov 2019 08:48:59 +0000
Resent-Message-Id: <E1iY4cd-0001LC-4F@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <robipolli@gmail.com>) id 1iY4ca-0001KY-NX for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 08:48:56 +0000
Received: from mail-vk1-xa2f.google.com ([2607:f8b0:4864:20::a2f]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1iY4cZ-0004fp-FU for ietf-http-wg@w3.org; Fri, 22 Nov 2019 08:48:56 +0000
Received: by mail-vk1-xa2f.google.com with SMTP id k24so1464343vko.7 for <ietf-http-wg@w3.org>; Fri, 22 Nov 2019 00:48:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xkGS3P9iARrqzFdohlvd6N0KUV98c97Hgcyqkkn6cqM=; b=NqLbObMgYM70Z+QjkvK8DEy93dYC8IC5t/1/CRMh+0U/XOiEjUfAZsq9w+pbsrb80i +K2KvLzmEI/c5h6h1KdSHXxwYIVKW0ZP3TVY0+YfxWXyp4S+42ra66OECXJXK2Lp8kdR E0RQVo5FsBuyUtU8zlXNJ4+TpmoibCWn/txG/Cnh37Nkq0kWTug3PKtzCbOLwXy7JYJ4 XxQ8PPjwTzQBc62I3q7QHTADxmMJSNbepcfSvLVRYrnRvw2fIu6yFTQNohuPWUbj4cH1 B+bkwe26+YtvvIczS14I5zRIqJlXSif1biEPB0eMWukBVTrfX/uKN+Re6scLmEhiAL8s jgxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xkGS3P9iARrqzFdohlvd6N0KUV98c97Hgcyqkkn6cqM=; b=XzFStueZTbskKBu+ja+lUVCProUH5/xuofeLOLjngWRCcmm/hAgFXZUaBEwyskGWxn 0nvjWG3wO6uVnhaQVHuwcIk1OUxAhFfq9DPvLuMJLCSyL6XN0utm6EAxfUJQ/3kRQp8d gguKZMvyke4bf21ki4K8cOz7+Ts0s4gJbsJwzr1FNu3OfBu6t6J3Y+kaRG257KQ0RzNr elIJ/+qIWpupc6UXVfAUYT3viUgfzHEeeRscUvSHE/pYekRlgurdBnujbsynzCCCjLum GzwRORWyJSi2/VjWoo6RlKIc3koqjFOkcQWx3sJgRaPdh8pnJJ+lFlnj7vh7DJLraNi/ CJzg==
X-Gm-Message-State: APjAAAWUH46Ae1xCmUCYHQBNP64oBLjKxEFkE54GtM8a+R/xpp96n7+6 jINt4SpbLaV0U/jSxjNwR4QE2yo7XvSJ/FncSznTqvgZji0=
X-Google-Smtp-Source: APXvYqxoTTY5hVSBpjqkdYxDl0E7ljMPNBW0/LpVudRKPdNFwFyBqrBBkbon0Zt9gZlMwvNBU6Yaws+XaKOH3fXU9AI=
X-Received: by 2002:a1f:7d84:: with SMTP id y126mr8470906vkc.99.1574412534376; Fri, 22 Nov 2019 00:48:54 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com>
In-Reply-To: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Fri, 22 Nov 2019 09:48:43 +0100
Message-ID: <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>, Liam Dennehy <liam@wiemax.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=2607:f8b0:4864:20::a2f; envelope-from=robipolli@gmail.com; helo=mail-vk1-xa2f.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iY4cZ-0004fp-FU 91114dbccdcd93f83ab873207e16a187
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Signing
Archived-At: <https://www.w3.org/mid/CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37169
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Rob & co, Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com> ha scritto: > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on YouTube[1], and it seems like it's going to end up in this WG. Interesting thread: the video is at https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000 > I'd like to suggest adopting something very similar to AWSv4. iiuc the approach of draft-cavage and signed-exchange is very similar and the signed-exchange workgroup made a lot of progresses. AWSv4 seems to me quite limited and IMHO if you expand it you'll eventually end with draft-cavage or http-signatures. > I've implemented the server side of AWSv4 [...] > it's possible to use off-the-shelf AWSv4 client SDKs, make up your own "service" name, and implement the server side of the protocol Understand, though AWS can change that sdk in the future as that's tied to their infrastructure. > [1] https://www.youtube.com/watch?v=CYBhLQ0-fwE > [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html Regards, R.
- HTTP Signing Rob Sayre
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Stephane Bortzmeyer
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Rob Sayre
- Re: HTTP Signing Jeffrey Yasskin