Re: [jose] JOSE and signed REST requests

Carsten Bormann <> Tue, 02 August 2016 06:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B00512D0BF; Mon, 1 Aug 2016 23:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nkna6ZTdjzEk; Mon, 1 Aug 2016 23:12:16 -0700 (PDT)
Received: from ( [IPv6:2001:4b98:c:538::194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F3A3712B068; Mon, 1 Aug 2016 23:12:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 377E6C5A5A; Tue, 2 Aug 2016 08:12:11 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id ejHJWIOANh_K; Tue, 2 Aug 2016 08:12:09 +0200 (CEST)
Received: from nar-3.local ( []) (Authenticated sender: by (Postfix) with ESMTPSA id 28825C5A5D; Tue, 2 Aug 2016 08:12:05 +0200 (CEST)
Message-ID: <>
Date: Tue, 02 Aug 2016 08:12:03 +0200
From: Carsten Bormann <>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Anders Rundgren <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc:, "" <>
Subject: Re: [jose] JOSE and signed REST requests
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2016 06:12:18 -0000

> [...] an operation is defined not only by the message payload, but
> also by the HTTP verb, URI, and header parameters.
> The only related standards effort I'm aware of is this:

I'm don't think that this will help you with your payment project, but,
you said REST and didn't specifically ask for HTTP, so here is another
standards effort you might want to be aware of:


In the Berlin CoRE WG meeting, there was in-room consensus to adopt this
as a WG document (to be confirmed on the mailing list), so this should
not be too far out.  [Sorry about the WG name confusion -- ACE is
focusing on how to do OAuth in constrained-node networks, but the
protected CoAP exchanges themselves actually are a CoRE WG issue, where
we use COSE formats for the actual protection.]

> I would rather have dropped REST in favor of transport-independent
> schemes using self-contained JSON-encoded signed message objects.

[Pet peeve: HTTP is not a transport protocol.]
This removes the REST abstraction that is quite useful to the
application designer.  Having the application designer create the
security protocol around signed message objects also has increased
potential for mistakes around freshness, context binding etc.  You get
to verify your whole application-layer message interaction against the
security objectives; you need a larger amount of luck with that than
with protected REST primitives.

Grüße, Carsten