IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: [http-auth] Review Request for third draft of "Signing HTTP Messages"

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 12 May 2014 17:59 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67EA1A0755 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 10:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2roOmdK5B6Co for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 10:59:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 5810B1A076B for <oauth@ietf.org>; Mon, 12 May 2014 10:59:36 -0700 (PDT)
Received: from [192.168.10.142] ([80.92.122.106]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MHnzh-1Wmvi718Sj-003en4; Mon, 12 May 2014 19:59:26 +0200
Message-ID: <53710BF9.7090701@gmx.net>
Date: Mon, 12 May 2014 19:59:21 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>, OAuth WG <oauth@ietf.org>
References: <536BFA23.9020900@digitalbazaar.com> <DBFBB4EC-B16E-4911-9BC4-3443BAA44704@oracle.com>
In-Reply-To: <DBFBB4EC-B16E-4911-9BC4-3443BAA44704@oracle.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="oUjI6ef6QukWimQwSOrLbur1TS3msamOT"
X-Provags-ID: V03:K0:1my5VmwkdFPhOeRkO7AwEg5W/sD+h71yN4EClIDK95t4mXudeZm AUY2czS017STTyQDdRW51M/f4+PjW9kO6xy1Ki+PScLX0wv+8/fyTmlIQgn5fnecFpJXBBT eyZfq8+ofKPkkaEoXmLLQVmcCTWCG6n9Oa0MQyx9IRKPfRQ2W63qExSMnFOGmsEkD8nZcsl gSXYdb+P4EfSAWLuW3YIw==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GEEbZQDL7tdBxfbevpnVPFwJiiM
Subject: Re: [OAUTH-WG] Fwd: [http-auth] Review Request for third draft of "Signing HTTP Messages"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 17:59:40 -0000

Conceptually, draft-cavage-http-signatures-02 is the same as OAuth 1.0.
Therefore, the symmetric key part of the document is the same as the MAC
token.

Not quite sure why the authors have not read the OAuth work.

On 05/09/2014 01:22 AM, Phil Hunt wrote:
> How does this compare with justin's draft?
> 
> Phil
> 
> Begin forwarded message:
> 
>> *From:* Manu Sporny <msporny@digitalbazaar.com
>> <mailto:msporny@digitalbazaar.com>>
>> *Date:* May 8, 2014 at 14:41:55 PDT
>> *To:* IETF HTTP Auth <http-auth@ietf.org <mailto:http-auth@ietf.org>>
>> *Cc:* Julian Reschke <julian.reschke@gmx.de
>> <mailto:julian.reschke@gmx.de>>, Mark Nottingham <mnot@mnot.net
>> <mailto:mnot@mnot.net>>, Web Payments CG <public-webpayments@w3.org
>> <mailto:public-webpayments@w3.org>>
>> *Subject:* *[http-auth] Review Request for third draft of "Signing
>> HTTP Messages"*
>>
>> After feedback from Mark Nottingham[1], Julian Reschke[2], folks in the
>> HTTP Auth WG, and people in the Web Payments CG, we've modified the HTTP
>> Signatures specification in the following ways:
>>
>> 1. The specification has been renamed to "Signing HTTP Messages".
>> 2. The specification now covers both a signature-based Authorization
>>   mechanism (client-to-server) as well as a general mechanism to sign
>>   HTTP messages (client-to-server and server-to-client).
>> 3. A new "Signature" header has been introduced.
>> 4. The layout has been modified heavily to streamline the information
>>   conveyed in the spec.
>> 5. New registries have been created for the algorithms referred to in
>>   the specification.
>> 6. We're now more specific in the way certain canonicalizations are
>>   performed.
>> 7. More examples have been added, including how to digitally sign
>>   the body of an HTTP message.
>>
>> The basic mechanism of generating the signatures has not changed (and
>> has been stable for over a year).
>>
>> The newest spec can be found here:
>>
>> http://tools.ietf.org/html/draft-cavage-http-signatures-02
>>
>> The diff is here:
>>
>> http://tools.ietf.org/rfcdiff?url2=draft-cavage-http-signatures-02.txt
>>
>> Matt, Yoav, Kathleen, if there are no show stopping review comments, I'd
>> like to push this spec onto the RFC track in the HTTP Auth WG, or
>> HTTPbis/2 WG. It'll be ready for a LC in a month or two. I realize that
>> HTTP Auth may be shutting down next month, so what's the next step to
>> get the HTTP Signatures spec further down the IETF RFC track?
>>
>> -- manu
>>
>> [1]
>> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0038.html
>> [2]
>> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0036.html
>>
>> -- 
>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>> Founder/CEO - Digital Bazaar, Inc.
>> blog: The Marathonic Dawn of Web Payments
>> http://manu.sporny.org/2014/dawn-of-web-payments/
>>
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org <mailto:http-auth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/http-auth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email