Re: Web Keys and HTTP Signatures
Ken Murchison <murch@andrew.cmu.edu> Thu, 18 April 2013 15:50 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABF121F8960 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 08:50:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5XOSuGPvYs1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 08:50:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 50A8621F891D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 08:50:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USr5F-0006Ue-AI for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 15:49:13 +0000
Resent-Date: Thu, 18 Apr 2013 15:49:13 +0000
Resent-Message-Id: <E1USr5F-0006Ue-AI@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <murch@andrew.cmu.edu>) id 1USr5B-0006R4-GC for ietf-http-wg@listhub.w3.org; Thu, 18 Apr 2013 15:49:09 +0000
Received: from smtp.andrew.cmu.edu ([128.2.11.96]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <murch@andrew.cmu.edu>) id 1USr5A-0000GG-DN for ietf-http-wg@w3.org; Thu, 18 Apr 2013 15:49:09 +0000
Received: from Kens-MacBook-Air.local (cpe-76-180-197-142.buffalo.res.rr.com [76.180.197.142]) (user=murch mech=PLAIN (0 bits)) by smtp.andrew.cmu.edu (8.14.4/8.14.4) with ESMTP id r3IFmZWY023029 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-http-wg@w3.org>; Thu, 18 Apr 2013 11:48:42 -0400
Message-ID: <517015DE.3090904@andrew.cmu.edu>
Date: Thu, 18 Apr 2013 11:48:46 -0400
From: Ken Murchison <murch@andrew.cmu.edu>
Organization: Carnegie Mellon University
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <516FFCD4.8070701@cs.tcd.ie>
In-Reply-To: <516FFCD4.8070701@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------000104000502070504040302"
X-PMX-Version: 5.5.9.388399, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.4.9.4220
X-SMTP-Spam-Clean: 8% ( BODY_SIZE_6000_6999 0, BODY_SIZE_7000_LESS 0, RDNS_GENERIC_POOLED 0, RDNS_POOLED 0, RDNS_RESIDENTIAL 0, RDNS_SUSP 0, RDNS_SUSP_GENERIC 0, RDNS_SUSP_SPECIFIC 0, TO_NO_NAME 0, __BAT_BOUNDARY 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __HAS_HTML 0, __HAS_MSGID 0, __MIME_HTML 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __RDNS_POOLED_2 0, __SANE_MSGID 0, __TAG_EXISTS_HTML 0, __TO_MALFORMED_2 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __USER_AGENT 0)
X-SMTP-Spam-Score: 8%
X-Scanned-By: MIMEDefang 2.60 on 128.2.11.96
Received-SPF: none client-ip=128.2.11.96; envelope-from=murch@andrew.cmu.edu; helo=smtp.andrew.cmu.edu
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.950, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.702
X-W3C-Scan-Sig: lisa.w3.org 1USr5A-0000GG-DN 371c1ad8323fc77cf8651144a9062a9c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/517015DE.3090904@andrew.cmu.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17337
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 04/18/2013 10:01 PM, Stephen Farrell wrote: > And in the "other relevant work" thread, aside from httpauth > (where I'm a co-author on a similar-ish proposal [1] and be > happy to chat about it, maybe the http-auth list is better > though), there's also work to use DKIM-like headers for > iSchedule [2]. I've not read this though (yet) to see if > they're all really that different or not. > > Cheers, > S. > > [1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba > [2] http://tools.ietf.org/html/draft-desruisseaux-ischedule I was also going to suggest folks look at iSchedule, which leverages the already proven/scrutinized DKIM technology for signing its HTTP requests. That draft is only concerned about iSchedule and not general purpose HTTP requests, but a similar methodology could be used. A few things to note: * Earlier versions of the draft signed both the request-line and Host header, but we found in interop testing that intermediaries might alter the request-target and/or Host, thus breaking the signature. We punted on both because 1) all iSchedule requests are sent to one request target (there is only a single "resource" on an iSchedule receiver) therefore the receiver can determine if the request-target is valid, and 2) the receiver can deduce from the signed Recipient header(s) if it was the intended Host. My guess is that both of these issues would have to be addressed if a DKIM-like method was going to be applied to general HTTP requests. Use of the Forwarded header [3] might help in addressing these issues, but I haven't thought much about it. * Earlier versions of the draft used the standard DKIM "relaxed" header canonicalization algorithm, but we found in interop testing that intermediaries and/or HTTP libraries might combine multiple headers of the same name (#list-type header) into a single header, thus breaking the signature. As a result, we had to define our own "ischedule-relaxed" header canonicalization algorithm which essentially combines such headers before signing/verifying. * iSchedule is only concerned with signing requests at a domain level, not on an individual user level. A new DKIM key query method might be able to be designed to handle fetching of user keys. [3] http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded -- Kenneth Murchison Principal Systems Software Engineer Carnegie Mellon University
- Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures David I. Lehn
- RE: Web Keys and HTTP Signatures Manger, James H
- Re: Web Keys and HTTP Signatures Martin Thomson
- Re: Web Keys and HTTP Signatures David I. Lehn
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Amos Jeffries
- Re: Web Keys and HTTP Signatures Daniel Friesen
- Re: Web Keys and HTTP Signatures Stephen Farrell
- Re: Web Keys and HTTP Signatures David Morris
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Ken Murchison
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Nico Williams
- Re: Web Keys and HTTP Signatures Nico Williams