Re: [jose] JOSE and signed REST requests

Justin Richer <jricher@mit.edu> Tue, 02 August 2016 14:13 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5987B12D630 for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 07:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jo2pqGY9e6UK for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 07:13:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10FE112D69C for <jose@ietf.org>; Tue, 2 Aug 2016 07:13:04 -0700 (PDT)
X-AuditID: 1209190e-fffff700000046e9-34-57a0aa6f8959
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 41.D3.18153.F6AA0A75; Tue, 2 Aug 2016 10:13:03 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u72ED3el025161; Tue, 2 Aug 2016 10:13:03 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u72ED1x2023337 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 2 Aug 2016 10:13:02 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <SN1PR0301MB164549BD76157CA2987F2162F5050@SN1PR0301MB1645.namprd03.prod.outlook.com>
Date: Tue, 2 Aug 2016 10:13:00 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <935629E3-26CC-4ED2-8589-29242375B765@mit.edu>
References: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com> <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu> <d838a1dc-6871-ad09-d31c-fc5b9aa02286@gmail.com> <SN1PR0301MB164549BD76157CA2987F2162F5050@SN1PR0301MB1645.namprd03.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrCIsWRmVeSWpSXmKPExsUixCmqrJu/akG4weVT5hZr1nQzWeyd9onF 4t9Sewdmj52z7rJ7LFnyk8mjdcdf9gDmKC6blNSczLLUIn27BK6MCVOXsRQ0y1asb5rB1MDY KtHFyMkhIWAiMeH1Y8YuRi4OIYE2JoljL5ZDORsYJWb++MYG4Txgkpj54icTSAuzgLrEn3mX mEFsXgE9iU3r34LFhQUMJS6uW8kKYrMJqEpMX9MCFOfg4BRIlDi0xgfEZBFQkbi6MwJiio/E +SVToSZqSyxb+BpqopXE7O17GUFsIYGPjBJ3bruC2CICOhKPL4KcA3K0rMSTk4tYJjAKzEJy 0CwkB81CMnYBI/MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXWO93MwSvdSU0k2M4MCV5NvBOKnB +xCjAAejEg9vQO78cCHWxLLiytxDjJIcTEqivC5fgEJ8SfkplRmJxRnxRaU5qcWHGCU4mJVE eD8tXRAuxJuSWFmVWpQPk5LmYFES593+rT1cSCA9sSQ1OzW1ILUIJivDwaEkwftiBVCjYFFq empFWmZOCUKaiYMTZDgP0PB9IDW8xQWJucWZ6RD5U4yKUuK8N0ESAiCJjNI8uF5QYkl4e9j0 FaM40CvCvPUrgap4gEkJrvsV0GAmoMEnDMAGlyQipKQaGIsb4w3vK35rlZH3ETIV373J7sHc HdwSXaxpc8pD11Upa34TKbGVtrDY1yIi/C9dLtR3d5fvhrQ1X/9Jz9fsiWC9z1X0pTY2t7fl wyq1jCuV5uGv4n1WnGRXm1h57utCdcfA/Yf98vZHBxx7edtnSYT32Zkdbq8qnL+c6K64erjv k3ipj5qwEktxRqKhFnNRcSIAIyRssAcDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/t5pBMO6YfKvIWYZBSW0bFNjcJbQ>
Cc: Sergey Beryozkin <sberyozkin@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JOSE and signed REST requests
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 14:13:09 -0000

Or that there will be enough interest in the spec that it will either spur the OAuth working group to finish what it started, or the work will move elsewhere.

 — Justin

> On Aug 2, 2016, at 9:36 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> As background, people should be aware that at IETF 96, members of the OAuth working group expressed a preference to abandon work on the OAuth http signing spec or put it on hold.  This discussion and the results are recorded near the end of the minutes at https://www.ietf.org/proceedings/96/minutes/minutes-96-oauth.
> 
> So anyone considering taking a dependency on this spec should take into account that it will likely never become an RFC.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Tuesday, August 2, 2016 4:34 AM
> To: jose@ietf.org
> Subject: Re: [jose] JOSE and signed REST requests
> 
> Hi Justin, Anders
> 
> in Apache CXF we have the filters for signing the outgoing payload.
> Short overview:
> http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JOSEJAX-RSFilters
> JWS:
> 
> http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWS
> 
> This is much less complete compared the http-request-02 work but we dpo focus on the integrity of the payload. I think it will be interesting for us to combine the http-request-02 (for ex the optional protection of the headers, etc) with the streaming approach employed to sign the data... Seems like a good opportunity for me to start looking at the the http-request-02/etc work.
> 
> Thanks, Sergey
> 
> On 02/08/16 13:43, Justin Richer wrote:
>> There's also this approach:
>> 
>> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02
>> 
>> It's more limited than a general HTTP signing mechanism, but as a 
>> consequence it's more robust for systems that mess with the HTTP 
>> message in transit (which we know happens in the real world).
>> 
>> -- Justin
>> 
>> 
>> On 8/2/2016 1:32 AM, Anders Rundgren wrote:
>>> Hi All,
>>> 
>>> I was recently involved in an inter-bank payment project based on a 
>>> REST API.
>>> 
>>> Since my role was "cryptography" I recommended the following approach 
>>> http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-
>>> requests.html
>>> 
>>> since an operation is defined not only by the message payload, but 
>>> also by the HTTP verb, URI, and header parameters.
>>> 
>>> The only related standards effort I'm aware of is this:
>>> https://tools.ietf.org/html/draft-cavage-http-signatures-05
>>> 
>>> Unfortunately the methods above get rather awkward if you have a 
>>> system where requests are supposed to be embedded in other messages 
>>> or just proxied to another server.
>>> 
>>> I would rather have dropped REST in favor of transport-independent 
>>> schemes using self-contained JSON-encoded signed message objects.
>>> 
>>> WDYT?
>>> 
>>> Anders
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose