Serialization#draft-ietf-httpbis-message-signatures-00

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 17 July 2020 07:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 641153A1463 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Jul 2020 00:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.019
X-Spam-Level:
X-Spam-Status: No, score=-3.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGJlcDOTAbAn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Jul 2020 00:53:11 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126443A1462 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 17 Jul 2020 00:53:10 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jwLAv-0002no-Vx for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Jul 2020 07:52:58 +0000
Resent-Date: Fri, 17 Jul 2020 07:52:57 +0000
Resent-Message-Id: <E1jwLAv-0002no-Vx@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <anders.rundgren.net@gmail.com>) id 1jwLAu-0002mx-LO for ietf-http-wg@listhub.w3.org; Fri, 17 Jul 2020 07:52:56 +0000
Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <anders.rundgren.net@gmail.com>) id 1jwLAt-0007CA-46 for ietf-http-wg@w3.org; Fri, 17 Jul 2020 07:52:56 +0000
Received: by mail-wm1-x32b.google.com with SMTP id f139so15868391wmf.5 for <ietf-http-wg@w3.org>; Fri, 17 Jul 2020 00:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=+50gIiPO8K6MmbrRF/iolGOgyS+TbQKoR5AJXJU156k=; b=nxZJpn5INUS7WdSS0a1s6BPyowYBZehnwEwm5gt9nqB0GT/Vz4MYM/qUHH0bD3YTde /8XGPuJQGqY8cwBPQKxl8DxR5WHfo1kx/ROGdj/cIOD2hXnmmxyzo0CFvYsBkC09kdhE hpmfRvBhfrS9np0spWXxFFv1lYBBoYOGTYds3UyN2xK33i5YfAmegzoBKbwrIMFJDA3b wlG2nGvVS1eDiJBnkdiSLugaC8Cp7VB3fhgMmjNenPUlwzhdr/fNa4K9jQBrOWaKPwvm Plu+4/EV1qbYrMRl7CkhIrL6CCSASeIXchVyuBX9akwbFgXiuK6m+/OwIWdi2e/MZtPc kg9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=+50gIiPO8K6MmbrRF/iolGOgyS+TbQKoR5AJXJU156k=; b=r7BkvjheJ5Wx/qWL8whB5daUN9xYcKJ4GtP70wiTC+r65uvOFC3rqJFKFBSuV/X+ks eZccpbGt7hcf8TD+kUsWKCGyk3rXD6xSS0zJi3NWOAv2MR8dvCljjjbBoLE7lHQkzhSI GOjUrSlBUf0L+sRMzZovUYTBRYeMbSR1fnOC0k/Qfq6mjhqEhjADmdqxNYRYnkG5mlZ7 oY1Y1cA+hoiyFBtOFOZO0TRMa0bpfeGrDgRHvKJMIZrmwTeV3Qw52+dVJY6EQe6GxWLU TNrTTetJkZnBBH6uDbGaKu1JI0Lts+Ztl7UhyY3nsffKpTZm9jA1eG4cSCEpjRCg/qOe eCJg==
X-Gm-Message-State: AOAM530uTP9SJ9xjJmigZlLlM6PPsgYNvj3Y9aCqFK9lzVGiIbLohjAf +oexAxRkpHicKTP+4J85UrTKdBEGC1M=
X-Google-Smtp-Source: ABdhPJwSr26ENrP767HiJpd61uG6AtNIIlfcZmbg73tzYhEDFwG1buRflXu3Heo7XO2Lb5oAAnbBMw==
X-Received: by 2002:a1c:7706:: with SMTP id t6mr7636796wmi.3.1594972363090; Fri, 17 Jul 2020 00:52:43 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id z1sm13334215wru.30.2020.07.17.00.52.41 for <ietf-http-wg@w3.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jul 2020 00:52:41 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: ietf-http-wg@w3.org
Message-ID: <c8082fbf-56db-89d3-ac2e-921953416a78@gmail.com>
Date: Fri, 17 Jul 2020 09:52:39 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Received-SPF: pass client-ip=2a00:1450:4864:20::32b; envelope-from=anders.rundgren.net@gmail.com; helo=mail-wm1-x32b.google.com
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jwLAt-0007CA-46 13d891541c885d68bcdb18439ef25f05
X-Original-To: ietf-http-wg@w3.org
Subject: Serialization#draft-ietf-httpbis-message-signatures-00
Archived-At: <https://www.w3.org/mid/c8082fbf-56db-89d3-ac2e-921953416a78@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37884
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Dear List,
Making signed HTTP requests serializable (in a reasonable way) is as far as I can tell not a part of the current agenda.

FWIW, here is a [very] raw proposal for how this could be accomplished:
- Build on JWS compact mode.
- Put a hash and attributes of the of signed HTTP header data (you're the experts on this part) in the JWS Protected Header as an extension.
- Put the payload in the JWS Payload element using the standard base64url encoding.
   Optionally use the JWS "typ" Protected Header element to specify MIME type of the payload
- Use the completed JWS compact string as the sole HTTP Body element

For JSON-formatted data there is yet another possibility: combine https://www.rfc-editor.org/rfc/rfc8785.html with "in-line/detached" JWS ( https://tools.ietf.org/html/rfc7515#appendix-F):
   {
      "anyJsonElement": "something",
          .
          .
      "signature":"eyJblahblahblah..blahblahblah"
   }

In both cases the HTTP Body element contains the serializable signed data.  Verifying signed HTTP header data is though not possible to perform after leaving the HTTP environment.  OTOH, for systems that actually depend on serialization, using HTTP headers as data carriers doesn't appear as a recommendable approach.  In my own work which heavily builds on counter-signatures for digital contracts, URL and current time are therefore represented in the JSON payload by "requestUrl" and "timeStamp" respectively.

Thanx,
Anders