IETF Logo Mail Archive

Re: Call for Adoption: draft-richanna-http-message-signatures

Roberto Polli <robipolli@gmail.com> Fri, 10 January 2020 16:31 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E10EE1209A4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 Jan 2020 08:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4oSdG8eWGMj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 Jan 2020 08:31:56 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D24BE1209BE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 Jan 2020 08:31:47 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ipx9r-00039v-Sd for ietf-http-wg-dist@listhub.w3.org; Fri, 10 Jan 2020 16:29:11 +0000
Resent-Date: Fri, 10 Jan 2020 16:29:11 +0000
Resent-Message-Id: <E1ipx9r-00039v-Sd@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <robipolli@gmail.com>) id 1ipx9q-00039H-JH for ietf-http-wg@listhub.w3.org; Fri, 10 Jan 2020 16:29:10 +0000
Received: from mail-vs1-xe43.google.com ([2607:f8b0:4864:20::e43]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1ipx9o-0004Sf-Gl for ietf-http-wg@w3.org; Fri, 10 Jan 2020 16:29:10 +0000
Received: by mail-vs1-xe43.google.com with SMTP id k188so1603771vsc.8 for <ietf-http-wg@w3.org>; Fri, 10 Jan 2020 08:29:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=YmwAQYs6AzQs2JSe+GUJtxXKcirZQVJWug9knkx7TrQ=; b=gP4CCs3o1Ad7B45Q3DJsUx2xbEym8/u+6/ncVdgzhy4/PhVDxclOm+nmo3IIWfFVyj kVxe0JgQL0S48dBMTaxu9e4COQI+fmCIhY3qbmaQZS/Dac/oqCn1CpHdIm9Bw+6XypVv kNusfblPmS8RizmD1NiSm455IBulfdXvouhB5Z+et5wLVorjMEnBMfkig669Jb3kxnJU +4Ql5K+f5HV6BMk01xTvkiLD4IghHlbE/hehmNuyDVQ2r89JO6vOqWuj48okZh8skKMz VUaXTWjSo06m3PnmWCSaqj4aPB99yqusxorCZLBZqr12Pz8AsUrrJrdGGdIAe2XKFcpD N/Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=YmwAQYs6AzQs2JSe+GUJtxXKcirZQVJWug9knkx7TrQ=; b=j2/fxCnp3xga/lfD8l+rka8xU5bPYzd0557bFtrYRiCt/cwaRw9nCAfIR7g1LdeCNN JulF3vm+WII2tEQolSj1DuyebYWi6a8GD6DQF0Yf4TwtPd58vuoQROYeNls5Tsbg/Xqb ex08xJm0nry7OhmxVywG1VqJ9HISAyjGIeFrVstQmHc/6MlUaUomHduaLcLS1ULI1BL3 qN07w80NyqYOlD5ZKd5lc4Hs86yPJ0xg9kIx1CgfODQe15y2KPx0klbQVSrBD+RGnnvz t86nnZAH19AGqznWFUTFswy70u0+8rbsghHia817/iSZx05Ujoqz0Ia4m8+AjNGbpDaY 80cQ==
X-Gm-Message-State: APjAAAWvvSg9r/QsIKivWFW1F6aejFbQg4uQnMF4hH+iGrSNGvuslBOn KUb9MiKgNO9HYJ2qGPl0A2jL1SGX+19bzVmMZZ4=
X-Google-Smtp-Source: APXvYqwmK2RLISI1Hmv1dOKpFz0LfsPm1DzAYVqwesEKDOWbKmactAZlsbXQbmSpvyqy/bdfw3LB/fQL5TSmgkCef70=
X-Received: by 2002:a67:f282:: with SMTP id m2mr2174797vsk.37.1578673747211; Fri, 10 Jan 2020 08:29:07 -0800 (PST)
MIME-Version: 1.0
References: <76565D7E-C7F5-4D5D-BE3A-6E686E096B14@mnot.net> <1bf9b1fb-10d0-4948-a7e6-a913e54b7828@www.fastmail.com> <279D48F9-FE36-474B-B2F9-48C4E3713229@mit.edu> <1AB9E384-A73A-4420-9F60-43FE53F62AE5@amazon.com> <78077793-5ef1-41b8-aad0-534a894259a0@www.fastmail.com> <CAChr6SyxhqpJQQy3iWt_y9eC2uTdUwQdJ5VEzXoU4ZF0dM1C2w@mail.gmail.com>
In-Reply-To: <CAChr6SyxhqpJQQy3iWt_y9eC2uTdUwQdJ5VEzXoU4ZF0dM1C2w@mail.gmail.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Fri, 10 Jan 2020 17:28:49 +0100
Message-ID: <CAP9qbHUYs_g1aiPpjs6bLb2iLG+FkN6d4Y3rOuLFxSbb4rdx8g@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, "Richard Backman, Annabelle" <richanna@amazon.com>, Justin Richer <jricher@mit.edu>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::e43; envelope-from=robipolli@gmail.com; helo=mail-vs1-xe43.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1ipx9o-0004Sf-Gl 72f9044750999919957c1edbcb61d151
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-richanna-http-message-signatures
Archived-At: <https://www.w3.org/mid/CAP9qbHUYs_g1aiPpjs6bLb2iLG+FkN6d4Y3rOuLFxSbb4rdx8g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37249
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi @all,

IMHO it's time for a spec for  signingin http requests/responses
usable as a building block
for a non-repudiation framework for REST APIs.

I investigated on both webpack and cavage and
the first output is the `digest-headers` I-D and its `usage in
signature` section:

-  https://github.com/httpwg/http-extensions/blob/master/draft-ietf-httpbis-digest-headers.md#usage-in-signatures

About implementors, if we address the above use-cases we could try to involve
interested folks from public sector (the European Union will probably
start working on API standards).
This will open the door to many implementors.

Finally, replies to previous email follows.

Mark said:
> [...] if folks [are] willing to contribute [..] review drafts [..].
I'm in. Preliminary comments from various people are on this gdoc
http://bit.ly/384sZdF

Annabelle said:
>  a general purpose solution from this working group would help drive consistency rather
> than simply be the N+1'th standard.
Agree.

Martin said:
> [parts of draft-richanna]  overlaps with existing work from other IETF groups [..]
> what would we say about the interactions with the web packaging work?
This is a central point. Some of the changes in draft-cavage-11
come from WEBPACK (eg. the `created`, `expires` parameters).
I think more from WEBPACK could be used in draft-richanna.
See:
- https://github.com/w3c-dvcg/http-signatures/pull/37

Martin said:
> canonicalization of (subsets of) HTTP messages, probably belongs here
Agree.

Martin said:
> [...draft-richanna..]  defines a bespoke signing format
> [..] I would prefer [..] JWS, COSE, or even CMS
About JWS / COSE, see https://github.com/WICG/webpackage/issues/237
About CMS: can you do a proposal based on that?

Martin said:
> I wasn't [..convinced..] that the
>  draft was free from some very simple problems in signature
> construction.  An analysis of this is a surprisingly difficult [..]
A comparison with WEBPACK would be a good starting point.

Martin said:
> à la carte selection of what to sign [ may not be ] a good strategy.
IMHO signature validity boundaries analogous to `iat`,`exp`,`aud`,`iss`
should always be present.
Compulsory fields can be easily added in draft-richanna though.
See eg. https://github.com/w3c-dvcg/http-signatures/issues/66

Annabelle said:
> [draft-richanna .. ] does not [..] indicate what information [..]
> the sender must sign in order to be "secure."
Not sure about that. My experience with draft-cavage implementors make
me lean on
Martin's objections.

Martin said:
> The interaction between signing and intermediation
> [..] requires some attention.
IMHO signatures should ensure integrity
and I am not sure we have to support all possible
intermediation transformation. We can sort it out though.


Justin said:
> changing syntax and breaking with existing deployments
> of the Cavage series is absolutely on the table.
That's inevitable. We can't be secure and backward compatible.

If you read 'till there I owe you a beer :)

Peace,
R.

v2.23.0 | Report a Bug | By Email