Re: HTTP Signing
"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 22 November 2019 12:41 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3285E1200A1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 04:41:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.753
X-Spam-Level:
X-Spam-Status: No, score=-2.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdZbDhtpY54q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Nov 2019 04:41:25 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F18A3120088 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Nov 2019 04:41:24 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iY8D6-0003N6-H3 for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Nov 2019 12:38:52 +0000
Resent-Date: Fri, 22 Nov 2019 12:38:52 +0000
Resent-Message-Id: <E1iY8D6-0003N6-H3@frink.w3.org>
Received: from uranus.w3.org ([128.30.52.58]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY8D3-0003MN-Pg for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 12:38:49 +0000
Received: from www-data by uranus.w3.org with local (Exim 4.92) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY8D3-0002i3-Lr for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 12:38:49 +0000
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY6pM-0005bz-9O for ietf-http-wg@listhub.w3.org; Fri, 22 Nov 2019 11:10:16 +0000
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <prvs=2222bf29d=richanna@amazon.com>) id 1iY6pK-00013O-He for ietf-http-wg@w3.org; Fri, 22 Nov 2019 11:10:16 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1574421015; x=1605957015; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ShVDZr3nfdycmHUsjhWzqFp+TjVDe0MEIcxnyjtIXMg=; b=HEWC1VVa+IaI22Lb0imVlfWnIHARM9wTho5n3nXr0HH9jodOsVmCAF+g Xt8QNzu877OFjT6mFBqJhUMRHmKWEiUNhLWIGnjV+NflCZlEaTm6FrLvC xds32JHjb89lcTdOmI/q807CQ2VqLzuq0lPNfRgGAuSfWGyOuERb5HHuo k=;
IronPort-SDR: fZNGFnBCTEqeaKwBunXIAZ1EGIGnoQ8Tzm3o17wfHXHv8uhr+dIh7V69qyaGmIeI6oGJbS3Vzx WE0QL/pI3GFw==
X-IronPort-AV: E=Sophos;i="5.69,229,1571702400"; d="scan'208";a="5318524"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1e-97fdccfd.us-east-1.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 22 Nov 2019 11:10:03 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-97fdccfd.us-east-1.amazon.com (Postfix) with ESMTPS id CC86BA1E70; Fri, 22 Nov 2019 11:10:01 +0000 (UTC)
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 22 Nov 2019 11:10:01 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 22 Nov 2019 11:10:01 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Fri, 22 Nov 2019 11:10:00 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Roberto Polli <robipolli@gmail.com>, Rob Sayre <sayrer@gmail.com>, Liam Dennehy <liam@wiemax.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: HTTP Signing
Thread-Index: AQHVoPryaObmBpnBzkG979TgWx2AmaeW4VOAgACtlYA=
Date: Fri, 22 Nov 2019 11:10:00 +0000
Message-ID: <3827BF1B-C7D7-45F5-833A-07CA72B64A12@amazon.com>
References: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com> <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
In-Reply-To: <CAP9qbHXSAam1i=6B7mnEpPh3d-yzVOLQk2Vj25f9QNsoe0uaaw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.65]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B435A6DAE689564BBB4DAC9A78D9FD6C@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Received-SPF: pass client-ip=72.21.198.25; envelope-from=prvs=2222bf29d=richanna@amazon.com; helo=smtp-fw-4101.amazon.com
X-W3C-Hub-Spam-Status: No, score=-16.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iY6pK-00013O-He 31a22e55c3705b0d6337d10529c181b7
X-caa-id: 23ee2b831d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Signing
Archived-At: <https://www.w3.org/mid/3827BF1B-C7D7-45F5-833A-07CA72B64A12@amazon.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37174
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
There are some conceptual similarities between AWS Signature Version 4 (SigV4) and draft-cavage-http-signatures. Both signing mechanisms provide some flexibility regarding what protocol elements are covered by the signature, but cavage goes further here. Conversely, SigV4 has more rigorous canonicalization language. Ultimately these two concepts are the key to success here. I believe the best path is for us to produce a core signing specification that defines signature generation and validation without getting prescriptive about what elements get signed. That can then be profiled (here in http, in oauth, in OpenID FAPI, ...) as needed, with profiles getting more or less prescriptive as is appropriate. That core spec is what I am currently working on, starting from cavage. I hope to have an I-D ready to present to the working group for adoption before the end of this year. Here are a couple links, in case anyone is interested in learning more about SigV4: - Public documentation: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html - Informational presentation I gave at IETF 105: https://www.youtube.com/watch?v=tUmT5qqlKik&feature=youtu.be&t=6400 – Annabelle Richard Backman AWS Identity On 11/22/19, 4:52 PM, "Roberto Polli" <robipolli@gmail.com> wrote: Hi Rob & co, Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com> ha scritto: > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on YouTube[1], and it seems like it's going to end up in this WG. Interesting thread: the video is at https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000 > I'd like to suggest adopting something very similar to AWSv4. iiuc the approach of draft-cavage and signed-exchange is very similar and the signed-exchange workgroup made a lot of progresses. AWSv4 seems to me quite limited and IMHO if you expand it you'll eventually end with draft-cavage or http-signatures. > I've implemented the server side of AWSv4 [...] > it's possible to use off-the-shelf AWSv4 client SDKs, make up your own "service" name, and implement the server side of the protocol Understand, though AWS can change that sdk in the future as that's tied to their infrastructure. > [1] https://www.youtube.com/watch?v=CYBhLQ0-fwE > [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html Regards, R.
- HTTP Signing Rob Sayre
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Stephane Bortzmeyer
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Richard Backman, Annabelle
- Re: HTTP Signing Roberto Polli
- Re: HTTP Signing Rob Sayre
- Re: HTTP Signing Jeffrey Yasskin