[jose] JOSE and signed REST requests

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 02 August 2016 05:32 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C549412B01C for <jose@ietfa.amsl.com>; Mon, 1 Aug 2016 22:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAd5F4nmJjdP for <jose@ietfa.amsl.com>; Mon, 1 Aug 2016 22:32:13 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A4BA12B024 for <jose@ietf.org>; Mon, 1 Aug 2016 22:32:13 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id q128so394145832wma.1 for <jose@ietf.org>; Mon, 01 Aug 2016 22:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=kA/mpKo6joh1pRtUw8ia7PFUZLGGtOEQBCw9asbhC9Q=; b=GfaXdbP4EjmbAPIO0D7Zv0+dO4u3iX4+c7PaCToWJRZb3f6KTKGMs28KjkvJDKLR4q 4Qy2Nx9woCUQqtP3iYEwJg7FxXrRl4bYN3iRKURzN3gEgXhAVDpPFwEq/x4vcigh9IWp hjMijSVtQY+uPO1p9prR/OSQ0HqLazKvH/SdS9dtbozIKm15kbDIAgFmO3ziSQzDUroh 8I9N38J0GPGItOGCULEYidDVfbcm1o7S9dBGa7xR/GhDZ2fnef7kfdCpiU6AC/E1jEj6 BFi7XDzOR1oUGg5v05m8ZYTtz2dzT3ONkOAtVPGyzWpIfNM/NhkWgYSYzT2g0TaDbGvQ OW+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=kA/mpKo6joh1pRtUw8ia7PFUZLGGtOEQBCw9asbhC9Q=; b=Pus5s6j8V18ANmud3N5q8NibjdfxGZyepgPmebYaV+KAW6ueXjqWCyyWVTVPhXak1r BBzxJqgY4FJLypQHCIGJ85VFkMZpM5TiHoEckcHGmTsbhoFiceGCGD88O7oh5lCTVhcm hiON9bZP6y61QEYQ65Y3N3mbbAy9pmc+i6I7QOfEqd3jB0IdKyygqzS11BfqtM7dxxAz BlSDSErCfKc72dSb7uVhsmfC9fV7OGrOrUtn7jqE9YYqGnVHaavN+m0ItjF+VBvrBxa0 qYn55d1qkeFjYjEz2YBycMF7scasgBMzNOn6DFVZWhud8qBBJohv89VWDrvZy/Z+p05I EKWA==
X-Gm-Message-State: AEkoouuy3AljR7mzkADrHwh38xfcWFajNcNkq0AdoWKwL99eZ8LcDTfbz06vTLm/h2GIMg==
X-Received: by 10.28.50.3 with SMTP id y3mr53668557wmy.23.1470115931459; Mon, 01 Aug 2016 22:32:11 -0700 (PDT)
Received: from [192.168.1.79] (124.25.176.95.rev.sfr.net. [95.176.25.124]) by smtp.googlemail.com with ESMTPSA id h7sm724299wjd.17.2016.08.01.22.32.10 for <jose@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Aug 2016 22:32:10 -0700 (PDT)
To: "jose@ietf.org" <jose@ietf.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com>
Date: Tue, 2 Aug 2016 07:32:08 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/LrE528NGi_0lFNwo-Mu1YiKd_Rc>
Subject: [jose] JOSE and signed REST requests
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 05:32:16 -0000

Hi All,

I was recently involved in an inter-bank payment project based on a REST API.

Since my role was "cryptography" I recommended the following approach
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
since an operation is defined not only by the message payload, but also by the HTTP verb, URI, and header parameters.

The only related standards effort I'm aware of is this:
https://tools.ietf.org/html/draft-cavage-http-signatures-05

Unfortunately the methods above get rather awkward if you have a system where requests are supposed to be embedded in other messages or just proxied to another server.

I would rather have dropped REST in favor of transport-independent schemes using self-contained JSON-encoded signed message objects.

WDYT?

Anders