Re: [jose] Sidemeeting Re: Signed HTTP Requests @ IETF-104
Bret Jordan <jordan.ietf@gmail.com> Tue, 26 March 2019 15:48 UTC
Return-Path: <jordan.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A5512047C for <jose@ietfa.amsl.com>; Tue, 26 Mar 2019 08:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iGWdm6xt-F0 for <jose@ietfa.amsl.com>; Tue, 26 Mar 2019 08:48:08 -0700 (PDT)
Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E209012047F for <jose@ietf.org>; Tue, 26 Mar 2019 08:48:07 -0700 (PDT)
Received: by mail-wm1-x342.google.com with SMTP id t124so13432274wma.4 for <jose@ietf.org>; Tue, 26 Mar 2019 08:48:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=oMWPR0E3nehmxzKUhVIW7C+Y+/NHncr9vbrDXrlxULY=; b=jFjUikwJpv72pof6z00QwgWJeuclgbDAHbDjvEZ6gbnGOxchyv8NGE62MAX+35Y3L0 beB7Sm3Y6XzTbuV2M46Nz8ODk8ARNH81VgPGVr5m6lxOYDIUNc8FWvDpNb9fQqrrZp/V OTD35tF744MvcvbQfNOm3JWFtZvgbT0R/oVWKhZelLR79W37rTB5x/Z77W6fHMc5hTEn foNXiOFPwqsW6tpjNjDu8WcFqnl0JiojN8OQ+iaE9MqkhFtbtN92mXujD/zlRE1jmFe6 +fchlMDhnXdnNFi4WJX6CLudW6LCxAJwgMxV6XpQyjqSQz1um7M50WVSlJMHpfy4C1G8 9agQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=oMWPR0E3nehmxzKUhVIW7C+Y+/NHncr9vbrDXrlxULY=; b=deZPFHllLRta6uJm1w3Mx/EOHSB8xED1qfGqqUbuMyC7qG92t8QwXuXcXU1/c582kN U/Lukfjgu1xycdSs4aJTfYAa8lGfWSyg/1eA3IpQdPC9NCy6eml10mhO6TOmaLldg7eC gVOy+6kk2CtUbNqzZT1Nupsfqx3bl6tAPsEQIsvPjlXFffoh+4raNIVjIlBU0WwZ6sDe X7sI+UT734apaxr0BS6CxqnagQ2ZflrsJk/0rdtNH9VD0Qzkwc6OtdBxqQ32QOXCOfTa rDMKDkOyn1ucR/6iAgd6Iik6mZQFHPp6QjZ1g3xGl48nzMJxI/nDoEdMSSAj4k6E2LN4 jklg==
X-Gm-Message-State: APjAAAXtz/fmooUN5DeziVilP46EcKREGmWCEDK6IqdCV+9N6lSU6VJ4 qoV5EVblT0CLvK9W2kHBbwPw6vCp
X-Google-Smtp-Source: APXvYqzBEUeY0B6AEP4g9Ci4DYNBhjFr9p7ni2Ga0LyClXmlwph/IXh/OUZczGoFXurH8cC1KI4TZA==
X-Received: by 2002:a7b:c769:: with SMTP id x9mr9927951wmk.103.1553615286357; Tue, 26 Mar 2019 08:48:06 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:f9eb:457f:d5c4:4dac? ([2001:67c:370:128:f9eb:457f:d5c4:4dac]) by smtp.gmail.com with ESMTPSA id e7sm5701455wme.37.2019.03.26.08.48.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 08:48:05 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-3D19962D-1F4C-4791-80D0-E53D8A2DDCC2"
Mime-Version: 1.0 (1.0)
From: Bret Jordan <jordan.ietf@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <d45aa0d3-7fb6-333e-674f-38f5dac70454@gmail.com>
Date: Tue, 26 Mar 2019 16:48:04 +0100
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Anthony Nadalin <tonynad@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <9CD2838C-BE63-4D21-BAD5-B361F12168D9@gmail.com>
References: <3afd27b3-c095-3188-89d3-58d8be177c5e@gmail.com> <DM5PR00MB0391CF9D87A9CE6F9CC36FF0A64A0@DM5PR00MB0391.namprd00.prod.outlook.com> <194bf99a-d5aa-d342-d110-3d66daf50d6e@gmail.com> <05237AAD-FB1F-4A06-A2BF-D4020B1F2799@gmail.com> <D6152153-D4B4-4EA5-B02C-CD01870EE4B2@lodderstedt.net> <86b31b82-9b3f-e441-efc6-9d260a522832@gmail.com> <B7DB8A46-BFCA-42C3-86E3-6E3292F630CE@gmail.com> <d45aa0d3-7fb6-333e-674f-38f5dac70454@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/RKkqhStDvQIMQi6_m-U9IzVyJ54>
Subject: Re: [jose] Sidemeeting Re: Signed HTTP Requests @ IETF-104
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 15:48:11 -0000
Anytime Wednesday afternoon. Bret Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Mar 26, 2019, at 4:09 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> On 2019-03-26 08:12, Bret Jordan wrote: >> I would love to have a side meeting here in Prague. > > Bret and Torsten, > any suggestions for a suitable time? > > Anders > >> I can not stress enough how important this JCS work is. Anders talks about the banking industry using this. But In addition to the banking sector, the entire international cyber threat intelligence community will be using JCS, which includes hundreds of major and small vendors, nearly every industry vertical, and many governments around the globe. >> Like so many things, we should quit trying to censor technology because a few people do not like it, or because we wish the industry would go in a different path. Anders has done amazing and brilliant work here. Is it going to cover ever corner case? Probably not. But honestly it does not need to. It just needs to solve the problems people need, and it does. >> How can we get this group to reconsider it? >> Bret >> Sent from my Commodore 128D >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>> On Mar 26, 2019, at 7:16 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: >>>> On 2019-03-25 15:31, Torsten Lodderstedt wrote: >>>> Will there be a side meeting on Wednesday? >>> >>> I can try to arrange that. >>> >>> I'm still curious to hear what for example FAPI suggest for the future. https://openid.net/specs/openid-financial-api-part-2.html#request ? >>> Convincing all open banking system developers out there to dress their precious business messages in base64 as an alternative to their current clear text solutions including the-not-as-bad-as-claimed https://tools.ietf.org/html/draft-cavage-http-signatures-10 may turn out bad. >>> >>> JSON canonicalization as described in the current 05 draft is based on a concluded (and technically pretty successful) research effort verified by multiple implementations including one made externally [1]. There is a single fully documented issue [2] which do requires some considerations by clients to work. >>> >>> Number serialization have been addressed by true specialists in this field (=not me). Recently I verified my original algorithm (copied from V8) with 5 billion random values against a new algorithm developed by Google which Microsoft intends to use in a coming updates to their C# tool chain. >>> >>> No such information was available during the operational time of the JOSE WG which is a rather important thing to keep in mind. >>> >>> A bunch of people at the IETF meeting privately propose that new developments should drop JSON/JWS and rather go for CBOR/COSE. That's actually quite logical since with Base64-encoded messages, you anyway need a decoder to make messages human readable. Personally I'm doing the opposite namely applying canonicalization to the JWS itself [3] >>> >>> Anders >>> >>> 1] https://github.com/dryruby/json-canonicalization >>> >>> 2] https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-05#appendix-E >>> >>> 3] User payment authorization in "Saturn". Similar to XML DSig but at 10% of the complexity: >>> { >>> "requestHash": { >>> "alg": "S256", >>> "val": "cA-QNdJHcynjuM44ty-zXgXwx100AZVRFLmYx1So0Xc" >>> }, >>> "domainName": "demomerchant.com <http://demomerchant.com>", >>> "paymentMethod": "https://bankdirect.net", >>> "accountId": "8645-7800239403", >>> "timeStamp": "2019-03-23T10:33:02+01:00", >>> "signature": { >>> "alg": "ES256", >>> "jwk": { >>> "kty": "EC", >>> "crv": "P-256", >>> "x": "rQ4WXMB6_wQKHSiY_mbJ4QkGpfWLssF7hvIiiFpDEx8", >>> "y": "Fh2rl0LGTtvaomOuhuRNo9Drz9o0--WXV2ITvdVQFRY" >>> }, >>> "val": "j2LL9pr2RyrPxvFlj8IzMhno5vvgGIgf2xi23dA5u_XwjYlIvT9qwIVKaCKYwjb26J5mMUL5zV02lqQGjZRClw" >>> } >>> } >>> >>> >>>>> Am 13.03.2019 um 06:36 schrieb Bret Jordan <jordan.ietf@gmail.com <mailto:jordan.ietf@gmail.com> <mailto:jordan.ietf@gmail.com>>: >>>>> We should for sure setup a side meeting on Wednesday to talk about JCS. That would be good. We could also talk a bit after the HotRFC session. >>>>> >>>>> >>>>> Thanks, >>>>> Bret >>>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." >>>>> >>>>>> On Mar 12, 2019, at 11:03 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com>> wrote: >>>>>> >>>>>> On 2019-03-13 04:46, Anthony Nadalin wrote: >>>>>>> I'm not sure why you say that FAPI is rolling it's own as we are not, please explain >>>>>> >>>>>> I was referring to this part of FAPI/OpenID: >>>>>> https://openid.net/specs/openid-financial-api-part-2.html#introduction-3 >>>>>> >>>>>> Is that a proposed standard? It claims to be RESTFul but does not deal with HTTP Method and URI which are fundamental parts of REST. >>>>>> >>>>>> In addition, one of the major interested parties behind FAPI, Open Banking in the UK, have selected another method (https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00#appendix-B.3), while other players in this field including French banks and the Berlin group are betting on: https://tools.ietf.org/html/draft-cavage-http-signatures-10 >>>>>> >>>>>> This is the motivation behind this work. If you are in Prague, maybe we can talk about this? >>>>>> >>>>>> regards, >>>>>> Anders >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: jose <jose-bounces@ietf.org <mailto:jose-bounces@ietf.org> <mailto:jose-bounces@ietf.org>> On Behalf Of Anders Rundgren >>>>>>> Sent: Monday, March 11, 2019 8:57 AM >>>>>>> To: jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org> >>>>>>> Subject: [jose] Signed HTTP Requests @ IETF-104 >>>>>>> I will be there Saturday evening - Thursday 13.00 in case you are interested in this topic. >>>>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-rundgren-signed-http-requests-00&data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&sdata=gXhXwQOm0vwPvXbQUQj%2FwD3%2FrsDU%2BB95SF6CjfR80CA%3D&reserved=0 >>>>>>> 4 minute "lightning" talk: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcyberphone.github.io%2Fietf-signed-http-requests%2Fhotrfc-shreq.pdf&data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&sdata=Al4bQN9BkM8ESKwqIZD6q1ZeQhYc5PrlXDR7vuRy6JQ%3D&reserved=0 >>>>>>> On-line "laboratory": >>>>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmobilepki.org%2Fshreq%2Fhome&data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&sdata=bLjKK%2FcGsB54%2B%2FVbbQQDrrgxdCooQp0%2BfJDBBsRIg8M%3D&reserved=0 >>>>>>> thanx, >>>>>>> Anders >>>>>>> _______________________________________________ >>>>>>> jose mailing list >>>>>>> jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org> >>>>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fjose&data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&sdata=Ah7rSZOWkkeTs%2Byi76vkqK1O5iN%2FckkCRoGvtsUDWYc%3D&reserved=0 >>>>>> >>>>>> _______________________________________________ >>>>>> jose mailing list >>>>>> jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>> >>>>> _______________________________________________ >>>>> jose mailing list >>>>> jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/jose >>> >
- [jose] Signed HTTP Requests @ IETF-104 Anders Rundgren
- Re: [jose] Signed HTTP Requests @ IETF-104 Bret Jordan
- Re: [jose] Signed HTTP Requests @ IETF-104 Anthony Nadalin
- Re: [jose] Signed HTTP Requests @ IETF-104 Anders Rundgren
- Re: [jose] Signed HTTP Requests @ IETF-104 Bret Jordan
- Re: [jose] Signed HTTP Requests @ IETF-104 Torsten Lodderstedt
- Re: [jose] Signed HTTP Requests @ IETF-104 Anders Rundgren
- Re: [jose] Signed HTTP Requests @ IETF-104 Bret Jordan
- [jose] Sidemeeting Re: Signed HTTP Requests @ IET… Anders Rundgren
- Re: [jose] Sidemeeting Re: Signed HTTP Requests @… Bret Jordan
- Re: [jose] Sidemeeting Re: Signed HTTP Requests @… Torsten Lodderstedt
- [jose] Wednesday 14-15. Sidemeeting Re: Signed HT… Anders Rundgren