Re: [jose] JOSE and signed REST requests

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 02 August 2016 11:34 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDA012D52F for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 04:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5lHlJIqSqSg for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 04:34:15 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3F5312B03A for <jose@ietf.org>; Tue, 2 Aug 2016 04:34:14 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id i5so285542459wmg.0 for <jose@ietf.org>; Tue, 02 Aug 2016 04:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=0UnxbIyBUTk4Bfb5Av0Cay6CeFgUIwSyc7+vA9P369c=; b=n/1ZqNr1NAYMSoW9V3Qx0UHVxYw5Y+6k7JUJx39fRsACTHMCDKnoSlQxCKALLhZdhX pkE89FjRYCPxi3QGDdlrrR2e+OiY7t+0dEMEoSMtJX0QyY8U5UPv3N659kQuwC4VRdIb dGNEY6cWZAK7z70H1yumKn+jfSKPms0gZjIhYVo4jyKlmqQudLh33VkxqcCGLIcnmZQl Z5304pYbNTELsohaVR/WlHNBXuRjHlG04rjd8w5STNJc/eisZTML5wMniwtm1LScrp8r hssbPZdOPmoJcwUp2tigHM2CieWqM/qIVC8H2U1NEKJ5YxwQ+N2fmE+DcB00/5avYpBq Wp9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=0UnxbIyBUTk4Bfb5Av0Cay6CeFgUIwSyc7+vA9P369c=; b=PH4X1ytiQy7/bWuRrFr/t/0hgcfxoeHO9VAoweBsI7KjHWp5gve/Ny8c0+jA3qV84H 0KrJLnYMdyAr1lXfF7Ye5+3ugvCsNwLKBwgKmUsB7Tmxq2BPIZN4QZ68UZbRTpm0h2BO plJ/A+4VT45xChMj61JOhQqlOMo87d84AoNdbiJLYZnrMFUG0px1EHFEJK91qcmKSefZ LcMw0LYryQzsy93IShXM0sZcBqRymbnLCT9vuO3ftfOWBUnAPbpuFth4cIw5fkprTUZI TygIOHFoU+9UDGgDdinzeGOzL555zALaYSpuLu5pZAnSbarR4r55IeC2LfJWawNMZh8V Ki8w==
X-Gm-Message-State: AEkoout8Aqxj/vsae4Jqot5SJVXIBVaNFxOIWjcTIzy5NqSE0tWUo8pFPMzCiapgzuC6lA==
X-Received: by 10.194.168.197 with SMTP id zy5mr63559025wjb.112.1470137653315; Tue, 02 Aug 2016 04:34:13 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id x203sm21597996wmg.0.2016.08.02.04.34.12 for <jose@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Aug 2016 04:34:12 -0700 (PDT)
To: jose@ietf.org
References: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com> <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <d838a1dc-6871-ad09-d31c-fc5b9aa02286@gmail.com>
Date: Tue, 2 Aug 2016 14:34:12 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/yDjOJioe-ZlDymMXw3FNbRw6C7s>
Subject: Re: [jose] JOSE and signed REST requests
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 11:34:17 -0000

Hi Justin, Anders

in Apache CXF we have the filters for signing the outgoing payload.
Short overview:
http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JOSEJAX-RSFilters
JWS:

http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWS

This is much less complete compared the http-request-02 work but we dpo 
focus on the integrity of the payload. I think it will be interesting 
for us to combine the http-request-02 (for ex the optional protection of 
the headers, etc) with the streaming approach employed to sign the 
data... Seems like a good opportunity for me to start looking at the
the http-request-02/etc work.

Thanks, Sergey

On 02/08/16 13:43, Justin Richer wrote:
> There's also this approach:
>
> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02
>
> It's more limited than a general HTTP signing mechanism, but as a
> consequence it's more robust for systems that mess with the HTTP message
> in transit (which we know happens in the real world).
>
>  -- Justin
>
>
> On 8/2/2016 1:32 AM, Anders Rundgren wrote:
>> Hi All,
>>
>> I was recently involved in an inter-bank payment project based on a
>> REST API.
>>
>> Since my role was "cryptography" I recommended the following approach
>> http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
>>
>> since an operation is defined not only by the message payload, but
>> also by the HTTP verb, URI, and header parameters.
>>
>> The only related standards effort I'm aware of is this:
>> https://tools.ietf.org/html/draft-cavage-http-signatures-05
>>
>> Unfortunately the methods above get rather awkward if you have a
>> system where requests are supposed to be embedded in other messages or
>> just proxied to another server.
>>
>> I would rather have dropped REST in favor of transport-independent
>> schemes using self-contained JSON-encoded signed message objects.
>>
>> WDYT?
>>
>> Anders
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose