Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-02.txt

Sergey Beryozkin <> Thu, 04 February 2016 12:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2DA2F1B2DC7 for <>; Thu, 4 Feb 2016 04:17:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O86O8_rYWOgo for <>; Thu, 4 Feb 2016 04:17:08 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E5BE1B2DC6 for <>; Thu, 4 Feb 2016 04:17:08 -0800 (PST)
Received: by with SMTP id 128so24208461wmz.1 for <>; Thu, 04 Feb 2016 04:17:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=+K1jR5Rct2JKmVMsGWB959N4zL8UwE+RV72bni0Nrmc=; b=ErmpmHzm5NS33DqCBGY/8zW0KnKUbMz0+kKMvhE1EhMI3otYwCtyz6dkSur1lTodl5 pXjNUlbhppCH1k4WeecfGrEIcci+/LUj4nCwOFXjfSTIPhe8QN4InfjrG/b4oUJ6Xpsr s+Hwj4eg/di3y0EDA5dXpRfML1m9tr4AmngI1t4za/s+7BQXtbCoQ/NgpfqS6A3rRdhD wTKtwm/rKJGdqJpS+9jL+2clbg5XX4OCgKoUVuxNIwyjioZpWRmeLBS5Z2G45M/0PkZ/ I62A6ijhYk3gkAPxhKhzV3e0CPAzlgcO4oxyKA2Nivw7pssK/LPLkVaUj6i0TXY5hhDK dwTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=+K1jR5Rct2JKmVMsGWB959N4zL8UwE+RV72bni0Nrmc=; b=ewWIATTmaZjihzux+e5+LPS2jJYIgNbyAg5ix+/WzDNooF4JvbCHzo4YXOZDlixbY2 RA7CZXuobiommeTyo85IBEG8YJpEYbSNRgc5FECB1NkiaomwTJCIKDIDR6yx6kyzCwzl z1x9Kvy/DQluKBusxGP7xmEf/83vw+QL8BTdblS5ZvSF65hHbOvmevKvo9nYHLSiXN8y T4gTeizimFGA0q/w9AfOM0c2Qbek9OvfFtcXhta2UhV4YSIqfdMek6SbN5AnWW9TR0Fx n9H65qxxEevpGwH3S8EfpCWjRjSFbOCITR4NSfChzzOmA5cTqJgdcvBy24qcFzhI1pHf GZPQ==
X-Gm-Message-State: AG10YOTa8mpWB5eb2wtoUL7XI01j1Uaj+VL+p31OAKnezln3WvwWvHzMpvTAc+/fZMQw+A==
X-Received: by with SMTP id b14mr18628795wme.93.1454588226831; Thu, 04 Feb 2016 04:17:06 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id k4sm9060521wmc.12.2016. for <> (version=TLSv1/SSLv3 cipher=OTHER); Thu, 04 Feb 2016 04:17:05 -0800 (PST)
References: <>
From: Sergey Beryozkin <>
Message-ID: <>
Date: Thu, 04 Feb 2016 12:17:04 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-02.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Feb 2016 12:17:10 -0000

Hi Justin

IMHO it would be useful to consider dropping body hashes and simply 
using JWS filters to convert the body to/from JWS compact or even JSON 
on the fly.
I recall there was some conversation before. People do want to stream 
the data end to end in today's web services. The idea of hashing the 
payload (even if it is arguably a 'small' payload such as 50-60k) won't 
fly in many productions but only in the demos.

JWS Compact is designed to support streaming, and even JWS JSON can do 
the streaming on the way out. Of course the final payload, especially if 
it is JWS compact, won't be easy to analyze when it is on the wire, but 
JWS JSON with base64url disabled can help. The filters will need to 
recreate the original body but it is the same with for ex GZIP.

The headers/queries hash can be linked to the signed body as a JWS 
header and thus protected too...

Not sure if it is convincing...

Cheers, Sergey

On 03/02/16 22:30, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>   This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>          Title           : A Method for Signing HTTP Requests for OAuth
>          Authors         : Justin Richer
>                            John Bradley
>                            Hannes Tschofenig
> 	Filename        : draft-ietf-oauth-signed-http-request-02.txt
> 	Pages           : 13
> 	Date            : 2016-02-03
> Abstract:
>     This document a method for offering data origin authentication and
>     integrity protection of HTTP requests.  To convey the relevant data
>     items in the request a JSON-based encapsulation is used and the JSON
>     Web Signature (JWS) technique is re-used.  JWS offers integrity
>     protection using symmetric as well as asymmetric cryptography.
> The IETF datatracker status page for this draft is:
> There's also a htmlized version available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> OAuth mailing list

Sergey Beryozkin

Talend Community Coders