Re: [jose] Signed HTTP Requests @ IETF-104

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 13 March 2019 05:04 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBF1130DCD for <jose@ietfa.amsl.com>; Tue, 12 Mar 2019 22:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lxtsa2qRYZop for <jose@ietfa.amsl.com>; Tue, 12 Mar 2019 22:04:02 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C43DF130DC9 for <jose@ietf.org>; Tue, 12 Mar 2019 22:04:01 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id g18so428144wru.3 for <jose@ietf.org>; Tue, 12 Mar 2019 22:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=cwnH9It1VKmeoYbmNZ22tcDmbg4m45J/as/Bei/QXpk=; b=qknldUb6kDvVP37ecwJbX9uCBl8nVo31ZvgIlz8doz2AfpXdQDS+QTOAPim6zEGZxD 5fYbBmol5CgUpFUS9ltAyQLkdmS3D6gAoEovSbiyxWVZvFjaXmsqP7degab7sGVKjWB1 du3wnu5xPVCP9plZKknWXjnv80n4lUm10EGBHwGHqLn/sOl3NT6CFypKTScT6ZN5tyM4 PLw8LMuIPVVR510/kNaoZuKU1asZXG+wGZF9LinJetCmDug2llIdQy1RsNIxnUGPJL69 /OrwkozytEoAVlMGmeKJsZNLI6C4A60z0PqvbkTVfLr1JsqtP+PY3+QDgU1B13BE+SKv iozQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cwnH9It1VKmeoYbmNZ22tcDmbg4m45J/as/Bei/QXpk=; b=s0pBfhy4OfDWE0ixYwSUGV+DnAFMmXzYHzcZ8WQzdETq2Q/io7QFkcHVsoLJytUufS hAQdGrzZCxCrTUCwGS3+DFeCmxoCp8gFXvq0rP8bVGFJNKu7ZdxO16uS7Or8rnSaWST2 o6AgbIZp4mvSMzcpUfJGuVplQm6XhqxefyGLV3GXNR6FRQXdIen0TyTuPQAxF4Qzjdkg +8GXfjR5sGk9RpvTyrX2oR6E90Z0FUTR63W6A9V8xjGCNAjZtLkVRde8+Ko57JcPccbz 24foMzVU9YlhL2w0C7ox+KqIBQhXlUc/2r0Ki6JSS/dPIXwAFxy8RsEvhbC1AsKGkhpK sLDA==
X-Gm-Message-State: APjAAAUCAfpAC39JvdX95edkEUO22gwpS1C7u3teAwnVOuZEZ0XRNfoG RaVW3ZtidcN4HFCZyO8CToU=
X-Google-Smtp-Source: APXvYqzDlf9D3S68PL64igpGLD9y+jekT/V4ol0hQHm9GgFDygxT8KoKsqKBku4CnEzpvcVjtfaOnw==
X-Received: by 2002:adf:f78e:: with SMTP id q14mr28944570wrp.227.1552453440149; Tue, 12 Mar 2019 22:04:00 -0700 (PDT)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id a74sm852251wma.22.2019.03.12.22.03.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Mar 2019 22:03:59 -0700 (PDT)
To: Anthony Nadalin <tonynad@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
References: <3afd27b3-c095-3188-89d3-58d8be177c5e@gmail.com> <DM5PR00MB0391CF9D87A9CE6F9CC36FF0A64A0@DM5PR00MB0391.namprd00.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <194bf99a-d5aa-d342-d110-3d66daf50d6e@gmail.com>
Date: Wed, 13 Mar 2019 06:03:56 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <DM5PR00MB0391CF9D87A9CE6F9CC36FF0A64A0@DM5PR00MB0391.namprd00.prod.outlook.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/nMw4cCJT1JQh5-L3Zmlau7i46FU>
Subject: Re: [jose] Signed HTTP Requests @ IETF-104
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 05:04:04 -0000

On 2019-03-13 04:46, Anthony Nadalin wrote:
> I'm not sure why you say that FAPI is rolling it's own as we are not, please explain

I was referring to this part of FAPI/OpenID:
https://openid.net/specs/openid-financial-api-part-2.html#introduction-3

Is that a proposed standard?  It claims to be RESTFul but does not deal with HTTP Method and URI which are fundamental parts of REST.

In addition, one of the major interested parties behind FAPI, Open Banking in the UK, have selected another method (https://tools.ietf.org/html/draft-rundgren-signed-http-requests-00#appendix-B.3), while other players in this field including French banks and the Berlin group are betting on: https://tools.ietf.org/html/draft-cavage-http-signatures-10

This is the motivation behind this work.  If you are in Prague, maybe we can talk about this?

regards,
Anders


> 
> -----Original Message-----
> From: jose <jose-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Monday, March 11, 2019 8:57 AM
> To: jose@ietf.org
> Subject: [jose] Signed HTTP Requests @ IETF-104
> 
> I will be there Saturday evening - Thursday 13.00 in case you are interested in this topic.
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-rundgren-signed-http-requests-00&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=gXhXwQOm0vwPvXbQUQj%2FwD3%2FrsDU%2BB95SF6CjfR80CA%3D&amp;reserved=0
> 
> 4 minute "lightning" talk: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcyberphone.github.io%2Fietf-signed-http-requests%2Fhotrfc-shreq.pdf&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=Al4bQN9BkM8ESKwqIZD6q1ZeQhYc5PrlXDR7vuRy6JQ%3D&amp;reserved=0
> 
> On-line "laboratory":
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmobilepki.org%2Fshreq%2Fhome&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=bLjKK%2FcGsB54%2B%2FVbbQQDrrgxdCooQp0%2BfJDBBsRIg8M%3D&amp;reserved=0
> 
> thanx,
> Anders
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fjose&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ccdd16fdc2e264a6868ac08d6a63a4098%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636879166457446453&amp;sdata=Ah7rSZOWkkeTs%2Byi76vkqK1O5iN%2FckkCRoGvtsUDWYc%3D&amp;reserved=0
>