Re: [OAUTH-WG] HTTP Signing
Justin Richer <jricher@mit.edu> Tue, 28 March 2017 23:17 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50E4129479 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 16:17:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJU-hEaSd4y2 for <oauth@ietfa.amsl.com>; Tue, 28 Mar 2017 16:17:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94209126BFD for <oauth@ietf.org>; Tue, 28 Mar 2017 16:17:04 -0700 (PDT)
X-AuditID: 12074424-25bff700000063a9-58-58daeeefecda
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 5B.1D.25513.FEEEAD85; Tue, 28 Mar 2017 19:17:03 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v2SNH2Au007741; Tue, 28 Mar 2017 19:17:02 -0400
Received: from [192.168.1.71] (104-182-133-163.lightspeed.cicril.sbcglobal.net [104.182.133.163]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2SNGxOX009798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 28 Mar 2017 19:17:01 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <401D280A-4872-46AC-849B-5A3CF043DAD6@mit.edu>
Content-Type: multipart/signed; boundary="Apple-Mail=_78422D3C-DD89-48A6-BE73-374890D3B218"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 28 Mar 2017 18:16:58 -0500
In-Reply-To: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <7480c702-56a9-4e6b-86e1-2f24bb0b3c42@gmx.net>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLKsWRmVeSWpSXmKPExsUixCmqrfv+3a0IgxPr1CyW7rzHanHy7Ss2 ByaPxZv2s3ksWfKTKYApissmJTUnsyy1SN8ugSvj9+MLbAX/jCsmTDvJ3sB4SqeLkZNDQsBE YsbzlYxdjFwcQgJtTBKX951mA0kICWxklPi4wRUicY9JYvuvvcwgCTYBVYnpa1qYQGxeASuJ nY8+MIEUMQvMYJRY82YtO0RCX2L2mUssILawgIrE5Q6IBhag5ge7boAN4hSwlng05SHQNg6g ZnWJ9pMuIGERAUOJ6zOns0IcYSXxdecdNohLZSXe/lrCPIGRfxaydbOQrAOxmQWSJGbeu8kG YWtLLFv4mhnC1pTY372cBVNcQ6Lz20RWCFteYvvbOVBxS4nFM29A1dtK3OpbwARhG0jMaZ7M tICRexWjbEpulW5uYmZOcWqybnFyYl5eapGuuV5uZoleakrpJkZQTLG7qOxg7O7xPsQowMGo xMO7I+9WhBBrYllxZe4hRkkOJiVR3poDQCG+pPyUyozE4oz4otKc1OJDjCpAux5tWH2BUYol Lz8vVUmEd/4yoDrelMTKqtSifJgyaQ4WJXFecY3GCCGB9MSS1OzU1ILUIpisDAeHkgSv41ug RsGi1PTUirTMnBKENBMH5yFGCQ4eoOG8IDW8xQWJucWZ6RD5U4yKUuK8dW+AEgIgiYzSPLhe UCrM2Na6+BWjONBbwryrQdp5gGkUrvsV0GAmoMHiNmCDSxIRUlINjIeDe6U3FmneMVZh735w yF6oZ8EC87npkZwp+zfGpDPKyzGcqs4TX9fwr2mN+Wuhr3FFN6rLTvM1leXPrTS+kO00r/3Q 7KbYr+/28D3le9+QsOjvwQ/Zk3PvFTcWndPmVVgskMSomC6RM+9Izz4hjYLejZq+fFGhryZP PTthcgPDCpNdhnX1SizFGYmGWsxFxYkA0ElG1WADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3QY37fySX4WqUTwTCUHgFuEeqEg>
Subject: Re: [OAUTH-WG] HTTP Signing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 23:17:07 -0000
That document has been brought up and discussed several times in the past in relation to our own signing mechanism, and it’s been rejected each time. It has its benefits and drawbacks, as does the signature method that was proposed in draft-ietf-oauth-http-signing. The biggest drawback of the cavage document is that it is not as robust against HTTP message transformation as the oauth document. The oauth draft uses the JOSE signing mechanism (which is familiar to a lot of OAuth developers already) whereas the cavage draft has its own signing system. The cavage draft ties more directly to HTTP2, whereas the oauth draft ties more directly to, well, OAuth. To wit, you’d still need to define a way to present the access token itself alongside the signature, presumably using another header which would be signed. The thing is, the challenge has never been with the specifics of how the signatures are made in the oauth draft — the challenge has been whether to do message level signatures at all. The token binding camp remains convinced that referred token binding will be both universally available and universally applicable, and that work has very directly pulled interest and attention away from having a true PoP solution in a standard, even five years after we had a reasonably workable draft (in the form of the MAC token) that we could have built and run with. — Justin > On Mar 28, 2017, at 2:32 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > > Hi all, > > I met Manu after the OAuth meeting on Monday and he pointed me to his > work on HTTP signing, as described in this document: > https://tools.ietf.org/html/draft-cavage-http-signatures-06 > > I believe there is some synergy of work going on elsewhere in the IETF. > Since we have had challenges with some HTTP signing I wonder whether > there is something to learn from the authors of that doc. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] HTTP Signing Hannes Tschofenig
- Re: [OAUTH-WG] HTTP Signing Justin Richer