Re: [jose] JOSE and signed REST requests

Justin Richer <jricher@mit.edu> Tue, 02 August 2016 10:44 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5609512D50D for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 03:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNyvraMPTTb6 for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 03:43:58 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39E312B041 for <jose@ietf.org>; Tue, 2 Aug 2016 03:43:58 -0700 (PDT)
X-AuditID: 1209190f-d7fff70000004dc9-3f-57a0796c6ab3
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id DD.22.19913.C6970A75; Tue, 2 Aug 2016 06:43:57 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u72AhtcH016347 for <jose@ietf.org>; Tue, 2 Aug 2016 06:43:56 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u72Ahsn6030735 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <jose@ietf.org>; Tue, 2 Aug 2016 06:43:55 -0400
To: jose@ietf.org
References: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu>
Date: Tue, 2 Aug 2016 06:43:49 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCIsWRmVeSWpSXmKPExsUixG6nrptbuSDcYO4beYs1a7qZHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV8XDtc+aCm1wVPbcdGhgfcXQxcnJICJhI9C05zt7FyMUhJNDG JHF5zVUo5wijRO+rw4wQznsmiZ8f3rKCtAgLGEpcXLcSzBYREJR4s3gKWxcjB1CRjcT2naYg YTYBVYnpa1qYQGxeASuJ1Re2gZWzCKhIXO04yAxSLioQI7G+LwGiRFDi5MwnLCA2p4CtxKZb fWCtzED2nbm7mSFseYntb+cwT2Dkn4WkZRaSsllIyhYwMq9ilE3JrdLNTczMKU5N1i1OTszL Sy3SNdHLzSzRS00p3cQICjxOSf4djHMavA8xCnAwKvHwBuTODxdiTSwrrsw9xCjJwaQkyuvy BSjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDe8YkG4EG9KYmVValE+TEqag0VJnHf7t/ZwIYH0 xJLU7NTUgtQimKwMB4eSBK8VSKNgUWp6akVaZk4JQpqJgxNkOA/QcEWw4cUFibnFmekQ+VOM ilLivB0gCQGQREZpHlwvKDEkvD1s+opRHOgVYd7rIFU8wKQC1/0KaDAT0OATBmCDSxIRUlIN jNY7uYXumJTamH0R8g4oU605vsr4pMxPBbkrUzT/p880YY08EJ/y+1ijrtZs9r3Hu1jjmCM4 z+WLzvy2lf/a6QW9DhLPQvKPfo7gnvTsr6xEddzycMPPGw7eK1jaGllvOGNp7UfDmFCV6Ywe H/t/+3paTPDlfVchoTLlf9b+b3ov6ye9X/zlmRJLcUaioRZzUXEiAB2EA0jnAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/C1Nr9bdfs85IbaA-ud8paasFoAo>
Subject: Re: [jose] JOSE and signed REST requests
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 10:44:00 -0000

There's also this approach:

https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02

It's more limited than a general HTTP signing mechanism, but as a 
consequence it's more robust for systems that mess with the HTTP message 
in transit (which we know happens in the real world).

  -- Justin


On 8/2/2016 1:32 AM, Anders Rundgren wrote:
> Hi All,
>
> I was recently involved in an inter-bank payment project based on a 
> REST API.
>
> Since my role was "cryptography" I recommended the following approach
> http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html 
>
> since an operation is defined not only by the message payload, but 
> also by the HTTP verb, URI, and header parameters.
>
> The only related standards effort I'm aware of is this:
> https://tools.ietf.org/html/draft-cavage-http-signatures-05
>
> Unfortunately the methods above get rather awkward if you have a 
> system where requests are supposed to be embedded in other messages or 
> just proxied to another server.
>
> I would rather have dropped REST in favor of transport-independent 
> schemes using self-contained JSON-encoded signed message objects.
>
> WDYT?
>
> Anders
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose