Re: [jose] JOSE and signed REST requests
Sergey Beryozkin <sberyozkin@gmail.com> Tue, 02 August 2016 11:34 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDDA012D52F for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 04:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5lHlJIqSqSg for <jose@ietfa.amsl.com>; Tue, 2 Aug 2016 04:34:15 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3F5312B03A for <jose@ietf.org>; Tue, 2 Aug 2016 04:34:14 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id i5so285542459wmg.0 for <jose@ietf.org>; Tue, 02 Aug 2016 04:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=0UnxbIyBUTk4Bfb5Av0Cay6CeFgUIwSyc7+vA9P369c=; b=n/1ZqNr1NAYMSoW9V3Qx0UHVxYw5Y+6k7JUJx39fRsACTHMCDKnoSlQxCKALLhZdhX pkE89FjRYCPxi3QGDdlrrR2e+OiY7t+0dEMEoSMtJX0QyY8U5UPv3N659kQuwC4VRdIb dGNEY6cWZAK7z70H1yumKn+jfSKPms0gZjIhYVo4jyKlmqQudLh33VkxqcCGLIcnmZQl Z5304pYbNTELsohaVR/WlHNBXuRjHlG04rjd8w5STNJc/eisZTML5wMniwtm1LScrp8r hssbPZdOPmoJcwUp2tigHM2CieWqM/qIVC8H2U1NEKJ5YxwQ+N2fmE+DcB00/5avYpBq Wp9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=0UnxbIyBUTk4Bfb5Av0Cay6CeFgUIwSyc7+vA9P369c=; b=PH4X1ytiQy7/bWuRrFr/t/0hgcfxoeHO9VAoweBsI7KjHWp5gve/Ny8c0+jA3qV84H 0KrJLnYMdyAr1lXfF7Ye5+3ugvCsNwLKBwgKmUsB7Tmxq2BPIZN4QZ68UZbRTpm0h2BO plJ/A+4VT45xChMj61JOhQqlOMo87d84AoNdbiJLYZnrMFUG0px1EHFEJK91qcmKSefZ LcMw0LYryQzsy93IShXM0sZcBqRymbnLCT9vuO3ftfOWBUnAPbpuFth4cIw5fkprTUZI TygIOHFoU+9UDGgDdinzeGOzL555zALaYSpuLu5pZAnSbarR4r55IeC2LfJWawNMZh8V Ki8w==
X-Gm-Message-State: AEkoout8Aqxj/vsae4Jqot5SJVXIBVaNFxOIWjcTIzy5NqSE0tWUo8pFPMzCiapgzuC6lA==
X-Received: by 10.194.168.197 with SMTP id zy5mr63559025wjb.112.1470137653315; Tue, 02 Aug 2016 04:34:13 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id x203sm21597996wmg.0.2016.08.02.04.34.12 for <jose@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Aug 2016 04:34:12 -0700 (PDT)
To: jose@ietf.org
References: <216bb90e-15d5-efd6-e014-024f06af24f2@gmail.com> <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <d838a1dc-6871-ad09-d31c-fc5b9aa02286@gmail.com>
Date: Tue, 02 Aug 2016 14:34:12 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <48681c51-a1f2-ff43-9af4-521248b29af3@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/yDjOJioe-ZlDymMXw3FNbRw6C7s>
Subject: Re: [jose] JOSE and signed REST requests
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 11:34:17 -0000
Hi Justin, Anders in Apache CXF we have the filters for signing the outgoing payload. Short overview: http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JOSEJAX-RSFilters JWS: http://cxf.apache.org/docs/jax-rs-jose.html#JAX-RSJOSE-JWS This is much less complete compared the http-request-02 work but we dpo focus on the integrity of the payload. I think it will be interesting for us to combine the http-request-02 (for ex the optional protection of the headers, etc) with the streaming approach employed to sign the data... Seems like a good opportunity for me to start looking at the the http-request-02/etc work. Thanks, Sergey On 02/08/16 13:43, Justin Richer wrote: > There's also this approach: > > https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02 > > It's more limited than a general HTTP signing mechanism, but as a > consequence it's more robust for systems that mess with the HTTP message > in transit (which we know happens in the real world). > > -- Justin > > > On 8/2/2016 1:32 AM, Anders Rundgren wrote: >> Hi All, >> >> I was recently involved in an inter-bank payment project based on a >> REST API. >> >> Since my role was "cryptography" I recommended the following approach >> http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html >> >> since an operation is defined not only by the message payload, but >> also by the HTTP verb, URI, and header parameters. >> >> The only related standards effort I'm aware of is this: >> https://tools.ietf.org/html/draft-cavage-http-signatures-05 >> >> Unfortunately the methods above get rather awkward if you have a >> system where requests are supposed to be embedded in other messages or >> just proxied to another server. >> >> I would rather have dropped REST in favor of transport-independent >> schemes using self-contained JSON-encoded signed message objects. >> >> WDYT? >> >> Anders >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] JOSE and signed REST requests Anders Rundgren
- Re: [jose] JOSE and signed REST requests Carsten Bormann
- Re: [jose] JOSE and signed REST requests Hoai Viet Nguyen
- Re: [jose] JOSE and signed REST requests Anders Rundgren
- Re: [jose] JOSE and signed REST requests Justin Richer
- Re: [jose] JOSE and signed REST requests Mike Jones
- Re: [jose] JOSE and signed REST requests Sergey Beryozkin
- Re: [jose] JOSE and signed REST requests Martin Thomson
- Re: [jose] JOSE and signed REST requests Justin Richer
- Re: [jose] JOSE and signed REST requests Martin Thomson
- Re: [jose] JOSE and signed REST requests Justin Richer
- [jose] JOSE and signed REST requests Anders Rundgren