Re: Signature Authentication Scheme
Ben Schwartz <bemasc@meta.com> Sun, 17 March 2024 13:28 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B8AC15198B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 17 Mar 2024 06:28:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Xm2kZMgh"; dkim=pass (2048-bit key) header.d=w3.org header.b="a8oaW/dQ"; dkim=pass (2048-bit key) header.d=meta.com header.b="PHiX22da"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CWToCNoa0u3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 17 Mar 2024 06:28:37 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85BBCC14F60C for <httpbisa-archive-bis2Juki@ietf.org>; Sun, 17 Mar 2024 06:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:MIME-Version:Content-Type:In-Reply-To:References:Message-ID: Date:CC:To:From:Reply-To; bh=Vot7OZRqy0zdoj9rm9IL+7bvY96GDI9RGWGWhhSh+Ms=; b= Xm2kZMghLniUrGffLDBCGyxHb1EdG3SmSqpzW16N+TIwM8bMkqu/2oOU8CCUJNkadbWRYpLOehv2l cBIzvnqeNRz9OFUtfRpMLz+trJoUx/A59GaCPdsnWXOW+crBd8ZZueONFbpYKfHJTVXENa9ZBG52i N4MJxrtSFMrQ1vcx0a/OVxYe7hP+fZ8JwwphqGG1ixpdgX0xYkdZ01MwWyDRyjBQNDmGtDwoQwRKG lstx9IExMKKiTkhyHRcUPkt3p6LN8NF+LLjs+Avhj87MNu9wBc6DII2TButGeFqlZmAYCj8EvvgUz 8TM78rOvTC1pIsA5xHDTEUGpKoeY0ZBoQA==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rlqW9-00EcUW-Bt for ietf-http-wg-dist@listhub.w3.org; Sun, 17 Mar 2024 13:25:37 +0000
Resent-Date: Sun, 17 Mar 2024 13:25:37 +0000
Resent-Message-Id: <E1rlqW9-00EcUW-Bt@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <prvs=880680fa5f=bemasc@meta.com>) id 1rlqW5-00EcTU-EI for ietf-http-wg@listhub.w3.org; Sun, 17 Mar 2024 13:25:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=MIME-Version:Content-Type:In-Reply-To:References:Message-ID:Date: Subject:CC:To:From:Reply-To; bh=Vot7OZRqy0zdoj9rm9IL+7bvY96GDI9RGWGWhhSh+Ms=; t=1710681933; x=1711545933; b=a8oaW/dQ5n77AVo+VAZqFKhQiqEs2wNzmFcmh+cHK/wkeM6 9qiE0t+snxYeuo5FppSsNtfo+4I089JyeIneczEANMgD21RsdN34VwjCQlYHIqHaLIcYQnhTdSrwk Qxdotvd9+Nh1vaGClhn7SI+7DHP1aOwpFpFD/SNlHR/0B03G+Ku4uTLXpLZvEt8EIQzWbTUGaMCVq q5jybkq7UEK8ejDR1oUidN8WrOLWhlMbTmVNJe6URc1qt4g6lDdRL8DYJUXRSiDbEUCxZ5oGTzB/N MkT78TySje5L5OEPKv/bBENrl/yGsL+SgwvCRdqr7dbHxeb6xZzfY0cR2zarYqJg==;
Received-SPF: pass (pan.w3.org: domain of meta.com designates 67.231.153.30 as permitted sender) client-ip=67.231.153.30; envelope-from=prvs=880680fa5f=bemasc@meta.com; helo=mx0b-00082601.pphosted.com;
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]) by pan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <prvs=880680fa5f=bemasc@meta.com>) id 1rlqW4-00CLzt-1b for ietf-http-wg@w3.org; Sun, 17 Mar 2024 13:25:33 +0000
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 42H9WJqJ009894; Sun, 17 Mar 2024 06:25:27 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=Vot7OZRqy0zdoj9rm9IL+7bvY96GDI9RGWGWhhSh+Ms=; b=PHiX22dakocPmNKobCNkdZLV5RZRrMlSlsktY5lOy5Kcwx46AhF/0pw3NpQC/BJ7/DDQ HY5P83re1sr/R04EbCB86BpXes6Bb4kBVAKQ4zLYWiKjWlwfnPJOYB2OluUgspbNI4Pp fJguG6gqwl2U0TYL38tIvXlkRRQi1W2M/3kav9xH/xil4SKN+KuwKe0qsfJO5Z30hqPp 6EEji5xeLC902g/6RHVFF2SBrXLAVlfgnF2fZ5lDuSs8uZo0ogqVh1XPki+Rt5v65eHh uHefUVEyXKVuSU0Xxq+OwRe7U76kWNZEd4hhHdneXZd22a+CKxbJYNtXAHX0kiCGHlT1 hg==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2041.outbound.protection.outlook.com [104.47.57.41]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3ww991ufgy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 17 Mar 2024 06:25:27 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cTMg1M4BssF89Sy7d7Nnj8ZsIRhoht8xWA2KXo6MtiHkz2iHfRPwU++kQDW9HsDd3OG+nJ9xzXUebwqfL0YCdAarj7QoGrIauWmj1lnXlW0rRrcYEhwbYM0kHACU+4xEyoUDEsGho9GeTStYZdr93OC4Jz8RkWCCCOb7IHHc8tOyYyCLShygkGYPh0dc9bgsSVGct302MDijeouwU+on8Y4DNvcjNlpxF8kBpaMWs9qaIQr8lgoJghsio9mn4gv3GmxdFLIH4PxyYJvbb0vFM0x6STziSz6iLmpYgYCI0zl3Lv/uE+QfRq1SMUvGlw9XKJ+sQbQtlbDTQVAY+FsHrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=z2gFvkQWsRfX0MJ15CD90wPiFyEr51wCRPer54y7AjE=; b=PTglnwESMH3b5OXoteNSAX/p6nMvUlfMrvG4h0iR6svkIHo7N9rbZgxpbZsFiJAFQnzCkuTJaco43iIXOvIGX8eC/Ap5q8szcwaZMBfow3PfKnCfJoedWrS8PT4wX4VYdaIvUwW2w+pjql0RFpYMa1m9vz+7l6Ys6h+ScceDHVi93GRZnc6YiGrVuuJOr8vXzZankrkYLDiMR9VMpwNot6QZYDhKv2rmi+3A9+MqFAT1l09jB81mFciOa3Uxs/Rvg4IaC9c3q+Hs0fS/KbRtuDfyv4GvlVG6xjLvazNL/ovGUDmA674CdvIlHp3CP/i9QRNJMim5ZIFPPpS/2zSn2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by MW4PR15MB4362.namprd15.prod.outlook.com (2603:10b6:303:bb::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.25; Sun, 17 Mar 2024 13:25:24 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7386.023; Sun, 17 Mar 2024 13:25:24 +0000
From: Ben Schwartz <bemasc@meta.com>
To: David Schinazi <dschinazi.ietf@gmail.com>, Justin Richer <jricher@mit.edu>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Signature Authentication Scheme
Thread-Index: AQHad5iTKCH8qKKrn0OtO13om8hQ8LE7cPwAgAB8tQA=
Date: Sun, 17 Mar 2024 13:25:24 +0000
Message-ID: <SA1PR15MB43706032D6D2847BDFACE4A3B32E2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <E1BFEFB3-A4B6-4697-91FE-37595A918203@mit.edu> <CAPDSy+4entagd0_fj=jUc8FEi5kCO045=8ULyLw-eJsP8Qy+JQ@mail.gmail.com>
In-Reply-To: <CAPDSy+4entagd0_fj=jUc8FEi5kCO045=8ULyLw-eJsP8Qy+JQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|MW4PR15MB4362:EE_
x-ms-office365-filtering-correlation-id: 49e61dc8-7808-4baa-cdfa-08dc4685b3d3
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JAPgaxLi8agTRG7ruOr8WiDa3oCflAl3pTjHGq5ToKfkiklW4dkbe91eE4M7B8+Ena/blBAPMxwaht4tBHehYl8XSA/3Qnn4FTbvTIAZ47fxWwmh0I4Zv3iwmPH7l9iXk37eq/lra9oUz3qGmx+sTi58HEjXbCDMKPs/YKe7g6d2nYurT6j07/EMLPQVZqUwG6lFBhbVTKvTbeLPy+zaCcdM7LXWb24l05Bdim9yR9nIe9nuIuRcMRm/BQSO3F/vDC7KTdPQakjTogtMcMzR/XmSnF0vP6Cnm1o1omSTUSOvxFRFSyt+Lld3/roVxzF9o4KTVn7ieS2eu4iO1F1W0nHle8g/xwsY7Ex5o3wUiy6gpDqYJUujov8I3/pBzkh8g+RHKRAAERxmhyceyvaX9DY8wrId/FHg+I9zuXxD3JEmLJW/yF8qPOoikyWt2Kv1HWt5vwPFSfMpd9fhPHn9Kq08+ZnlUQ8zZCEQDEUkGxdsjzlZgM1avQLTV1UsRxnyC3JAqiDYa/v3J98KDtiTmzDvxdDDj/RDWVwnSfjHREPP/RsTzvRrzHoo/u4zYQWr0UQGtPsfzV8LARW2Wn9VP7AFlOD/dv8Ya4KpcgGM4TaH7rURASguWpGc+Mu9hNIhnmkchqD2GwPYF4DTiJQ+v+B6zQNYpvPfytYlvUudaIf3r7upXj5biPlq9Ws6QxcmlFQc5VNNAzEb+WFoqQabxbmyQB3emWiJJCsaQXLnPUI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(366007)(376005)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XKJP6QhMTwrenXVZGDirPxQ697AC2FeAhvtxmPb4Q+J1x4LsjCr/MINtre9lM+VaJi8onzUeNekLfe37le6qCBKds8wFUCkmCTds+YQwW1ppJPeXnVjDE2uXAnHvjACsC/5IR3LrRzzIQk/rmCB4H5D9J82YJrSCAWUhJLJ7u5pohzOKiIcrF2pe007PP8nFAZcJWbq5Fo9rKR+LOSvE27FV5t4YH82cbobY8DSDKro4pWvnduTrEZ4xJliO+KY48XQS3nYu1SHwlxIaYlWyIrSpI5ytXyD71csOzwL0Ft2g37DZfWduHx96U7Vw6QuVeYDyA+jd2cTxUdiiBRblyxYQ8/HW/rz9cjN+ZpWnkASnL8vhdNJ3bOqVDe/Ol11tw+pbp2UOF32R5L+C+aVSA4nGou5BbMXkPGGAHhOO6GakFy64r9LbXaQcw2mxEs0WIPYwaS/Nic54+3fAL2QNZyC+VRefQprKPXWZ7ZDPZL43lCFZzd7SArgZZ4a6OnkLBv24lbUaXG6Vz8Aj9KGeFmspkEX0aFZN8MvmtWEQ117+hnvz2xEw6i0NtmGPDPcqLjCzmmv99eoWSPBOhQJiXRRuWkBjzhhlpNXW1FNiRMuj3e9kR9gfjf83bGGM5ozyEZlFZ9cY34pS4wGW/wCXgrHDecwj9IeIzJAXyV2/RDMVJY3nldX8cWU2tg5nyy9SqHJmAoVUkQlgUTEyFaoez6D6l1mHxcWOcvVd77dqJRsWTFG6S4BGT7Zyt9w9o4xv1dgTeYMXI64M5l71PKAh87m6ye1nKjnZfV0c1jZ9OrA2B2FmJLQAt+/AEsmo+jvvAQ7K0fO0pnUW9e3lWEtlZK6VZFOaStYLT3RbHp+D3Fe2Gt+b0a1lKD3cd+zX8muV1kbtGzl+BEsDX2bdUyXohBD5h/S5kWoVImmlXP9IOYJ/lg6412lfc1lKeRWCnqkqJa+hoAiAsGiGvvIYD3u1DDhqw4oWkFbXBDoBgfwNb5+DQJORBIx62BbIsa2GVBtf9BWxbH5NZrEoWsRBFM/Sq3+OOhHhGeese3LWCl/7RdfpjhXU1YruDkatI5Gh3qk577QLRCNhCqwYmzehXCgWS0XraHYhF+caJ/X6L3GMmp6YWC7SS5LD5PT2752VAsEiaN4ODwSJgu7DgcRj8sggbSaGw/P6wbwhhNJB0t7/NxHeF5vZ8H8Kyft2t48/acf3gJLOrHe/UcZFbeob08uBMmDBgKaKFOvMjLXJQPKS8EzsBWeCvfBnABmXQGdA5pPuAXoePXBxOdjoKa023xALNVSz3K4FTNQJU0sF+KsuVRC/x3aeWb6QSZNE/cSANJp/J3kJJ6TCF8E76Vx6szoQ93UT1Kwu/DqgL0q2A3fIMKcI41hXuX5TeTeumRnqNzJzi0rzGZzTVeP2wFlBITfjxwTm6qK5RRbr82pyO6DW8x11WjnewQ0zYwLhMs8XymZK5iQfn+spSS3OufIUQh1vRs2RFmnBEczstNGYcFPdWtZzYLqnPigs2uPvWhmM9boDFwr0UxiQJRt/JBAmKll4WdlVHMgs7CjPobGel/h+nAE=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB43706032D6D2847BDFACE4A3B32E2SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 49e61dc8-7808-4baa-cdfa-08dc4685b3d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2024 13:25:24.1024 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7ygyjUxy+KJT0gy+L+eK7gs3/C5B0MUtQNn054heAAI/FxFEAhgGNOhXgURLTW7d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4362
X-Proofpoint-GUID: k42GcYPG4qaJ5AT0URXeRS8woKVrzJM7
X-Proofpoint-ORIG-GUID: k42GcYPG4qaJ5AT0URXeRS8woKVrzJM7
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-17_09,2024-03-15_01,2023-05-22_02
X-W3C-Hub-DKIM-Status: validation passed: (address=prvs=880680fa5f=bemasc@meta.com domain=meta.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: ARC_SIGNED=0.001, ARC_VALID=-0.1, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1rlqW4-00CLzt-1b 266aa6dec2799d4cba9f99ccb45420e4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signature Authentication Scheme
Archived-At: <https://www.w3.org/mid/SA1PR15MB43706032D6D2847BDFACE4A3B32E2@SA1PR15MB4370.namprd15.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51887
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Bikeshed: Given that this scheme is limited to use with TLS, I think the scheme name (and perhaps also the document title) should include "TLS". --Ben ________________________________ From: David Schinazi <dschinazi.ietf@gmail.com> Sent: Sunday, March 17, 2024 1:58 AM To: Justin Richer <jricher@mit.edu> Cc: HTTP Working Group <ietf-http-wg@w3.org> Subject: Re: Signature Authentication Scheme Hi Justin, thanks for your comments. Responses inline. David On Sat, Mar 16, 2024 at 4: 59 AM Justin Richer <jricher@ mit. edu> wrote: I talked with David Oliver this morning at the hackathon, and I would like to raise some concerns about ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd Hi Justin, thanks for your comments. Responses inline. David On Sat, Mar 16, 2024 at 4:59 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote: I talked with David Oliver this morning at the hackathon, and I would like to raise some concerns about the "Signature Authentication Scheme" draft (draft-ietf-httpbis-unprompted-auth) that mostly revolve around the positioning of the draft in the larger ecosystem. As many of you know, we recently published HTTP Message Signatures as RFC9421 (huge thanks to the working group and everyone that helped out!). That draft was over four years of work here in HTTP and many more years longer than that floating around in various incompatible I-D’s. It’s in this context that I am providing this feedback. 1: The title of the draft and use of "HTTP Signature" The draft draft-ietf-httpbis-unprompted-auth has no relationship whatsoever to RFC9421, in spite of a very similar name. The mechanism in draft-ietf-httpbis-unprompted-auth is not about signing the HTTP message itself (apart from the scheme/host/port exported form TLS in section 4.1), but about presenting a signature value to the server in the request. This signature is intended to be bound to the target URI of the request, regardless of what the request itself is. Furthermore, the method is restrained to a single hope as it is based on binding to TLS level key material (see section 8). Additionally, the draft currently defines a single algorithm for use, without cryptographic agility. This list is not meant a judgement on these choices, but rather to contrast with the choices made in RFC9421, which targets arbitrary portions of the message, does not constrain key material to the TLS connection, can be used through intermediaries, and provides a robust cryptographic agility and extension mechanism. At the very least, this draft needs to clearly differentiate itself from RFC9421 in both the introduction and relevant portions of the text. Even better, in my personal opinion, this draft should be called something different. It :uses: signatures to accomplish a specific goal similar to HOBA, but it does not provide a signature mechanism for HTTP. For what it's worth, the draft isn't "HTTP Signature Authentication", it's "The Signature HTTP Authentication Scheme". That said, if you feel there's confusion then this can definitely be approved. I'm not opposed to changing the name if we find something that makes sense. How would you feel about "A Signature-Based HTTP Authentication Scheme" or "HTTP Authentication Using Signatures"? Though this might be moot if we rename the scheme - see below. 2: The use of the "Signature" authentication scheme In draft-cavage-http-signatures, which was one of the precursor inputs to RFC9421, there is a "Signature" authentication scheme defined in Section 3. In RFC9421, we deliberately removed this feature, as the goal of RFC9421 was to specify a mechanism for signing requests and responses and not for presenting those signatures as authentication or authorization, which would be higher-level protocols. This would ostensibly mean that the "Signature" authentication scheme is up for grabs, but the truth of the situation is that the Cavage draft saw wide adoption of its various versions long before the HTTP WG picked up work on what became RFC9421. This means that there are existing ecosystems depending on their own definition of a "Signature" authentication scheme. When this draft is deployed, that collision is going to be a painful one. Furthermore, a naive developer would see this draft and grab a Cavage library to try and implement it. I believe that this draft should use a different scheme, both to avoid conflict with Cavage implementations and also in concert with the reasons for naming choices in (1). Thanks for flagging this, I was not aware of this prior use at all. Given that the current implementations haven't yet widely deployed, it's not too late to change the scheme. One potential option could be to lean into the prior name of the draft and use the scheme "UnpromptedSignature". Then the title of the document could be "The UnpromptedSignature HTTP Authentication Scheme", which would also be less confusing. Thoughts on that scheme name? Other proposals for different names? 3: The field format and syntax This draft defines its own field format and parameter encoding, based on base64url. As the values in question are binaries with labels, this is ripe for using structured fields. Is there a compelling reason not to? The syntax is ALMOST there as it stands today, so implementations wouldn’t need to change much in practice — but new implementations could rely on structured fields to provide parsing and serialization in a less error prone way. The compelling reason is that HTTP authentication parameters have a restricted set of characters that don't allow the unescaped colons required by sf-binary. A previous version of the draft wrapped this with double-quotes to make it both a structured field and a valid authentication parameter (it looked like ":foobar:"), but the WG decided to not do that and instead remove structured fields. 4: Compatibility with RFC9421 And finally, this draft invents its own signature base string generator and signature calculation method separate from RFC9421. It is neither necessary nor expected for all new drafts to follow the methods in RFC9421, but I believe it would be worth at least exploring if the corresponding parts of RFC9421 could be used in here. I have a feeling that the answer is "not really", or more likely "we could but it makes this specific use case way more complicated than it’s worth", and that is a reasonable outcome — but I’d like to see that this work has at least been considered. Thanks for the suggestion. I had reviewed the draft that became RFC 9421 back in the day, and I just looked through the relevant parts again. I don't think it makes sense to reuse it here. The focus then was on normalizing semantics that can be encoded multiple ways, and that's not a useful feature here. While there's often value in reusing existing tools, none of the four implementations of draft-ietf-httpbis-unprompted-auth have an implementation of RFC 9421, so we'd be adding complexity instead of leveraging synergy.
- Signature Authentication Scheme Justin Richer
- Re: Signature Authentication Scheme David Schinazi
- Re: Signature Authentication Scheme Ben Schwartz