Re: [OAUTH-WG] Digest for DPoP
Brian Campbell <bcampbell@pingidentity.com> Fri, 19 February 2021 23:45 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A2D3A045E for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 15:45:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9GZVMV-caVu for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 15:45:52 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A46D3A040F for <oauth@ietf.org>; Fri, 19 Feb 2021 15:45:52 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id u4so31183557ljh.6 for <oauth@ietf.org>; Fri, 19 Feb 2021 15:45:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pFoKkKyXY6nZ6cge+oKM1FgW56ZvJ6YrmdsdZiAuTCg=; b=RW+josnjcFBGjVpHvfKKE1zIAZy161W8knSB9izC3M8/HY0baghZIOr+0+4lWkEfaH dqxZzMDApcub6VIkYrClMC2vyb25sW7JIBe6Jvg+sg0ywEQokPlgrORUjTHZoCxRcNJY Kt8P6oWN8UNJK1kWHUD8EHGkBdajjbalACyeQiCOGbXO5OO5Wm3p8jwjOlzP1A7HDUI+ TOFbUUc1AYdl/jvICIWxJiyoKrQRaX5mMlAWcWsdzafVz9qSi2k7tJb1zXfTeIDdYihy DaHF2wItWvoYCt5V0J5SIbZuQcQxcRz/BjmGQ3ztbc3Cb/oLc8NTYzAdP2hOLxVVI6Lm B+CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pFoKkKyXY6nZ6cge+oKM1FgW56ZvJ6YrmdsdZiAuTCg=; b=WT+ZVD8RzzSlFaFk+gQUhXClnc/KKkY5OLszXLBA7xjalQwbuYFj3TUGCHtYpYuOgJ UOS+QXcHBrVF4b6YPpZGs86qB7on4j9o2TSlBBmU6RIrbB5wMlpwkN7ILdLg47+ivkrr l19HZUQlT7111kw3ChNcriBER23M0tiafGZVhp4vWuR4rW6wgquWpWxCmdfLv57lvyWA Dc5eWFNxHKPjeGmphlqp6sz7iOQxOX2a/+xxtlX4phlMoBpSafVYL/4JulBM5Ca2BAlF D7V8snWPEixkAI5ZnA5A06KkUsXJ3Y8+oBu9Qjs1nUmj36OI4UdBY+xZqscXLUsFp3X2 DRfQ==
X-Gm-Message-State: AOAM531N0sqZuKbSguIX1DLtGNoygxAvq+KYIs23JFryxk6gXGp7i2r+ 40JiSZQO+zEjOzyeEOYwmIyneHm2jwCV0AHZ0L3OY0Y0uCTuh7RFOu4LR7Af7YERBjsHL0566DV jRxBfwIKdymQYFg==
X-Google-Smtp-Source: ABdhPJzn1/1KfFyqw+kZBjb08rh8dgmZQ5IaaYM3JnvtzF1SSsTWhBWg0nLrfV0a4MFmvZ68OemK6B5wp3uJZcn/hyk=
X-Received: by 2002:a2e:8556:: with SMTP id u22mr7429679ljj.114.1613778350637; Fri, 19 Feb 2021 15:45:50 -0800 (PST)
MIME-Version: 1.0
References: <5A5EEBCB-0075-4F9E-B943-E6F142A6E84C@mit.edu> <CA+k3eCSZgn_8DrUbZvDpPSsvEy1U_whWGMf-YDoUTXc8e9bMVg@mail.gmail.com> <CAP9qbHWbWkqvBSM62D9jCiJkYgFe3j-yzcpPw4EjOnARHrOivA@mail.gmail.com>
In-Reply-To: <CAP9qbHWbWkqvBSM62D9jCiJkYgFe3j-yzcpPw4EjOnARHrOivA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 19 Feb 2021 16:45:24 -0700
Message-ID: <CA+k3eCTdobo_YPB2TMCPfxjsEHoPrQHe1-jr71MTC-9aoU+NYw@mail.gmail.com>
To: Roberto Polli <robipolli@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000056207c05bbb90d23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OqG1lNg7eTf77AptAYPvsBPQz_I>
Subject: Re: [OAUTH-WG] Digest for DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 23:45:55 -0000
Hi Roberto, The SHMIP draft <https://bitbucket.org/openid/fapi/src/master/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md> is in the OIDF's FAPI repository https://bitbucket.org/openid/fapi/src/master/ and mailing list is https://lists.openid.net/mailman/listinfo/openid-specs-fapi The GNAP draft <https://tools.ietf.org/html/draft-ietf-gnap-core-protocol> is out of the IETF WG of the same name <https://datatracker.ietf.org/wg/gnap/about/> and the git repo is https://github.com/ietf-wg-gnap/gnap-core-protocol/ The usage of digest by both builds on the OAuth WG <https://datatracker.ietf.org/wg/oauth/about/>'s DPoP draft <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-02.html> and is in git at https://github.com/danielfett/draft-dpop On Fri, Feb 19, 2021 at 3:43 PM Roberto Polli <robipolli@gmail.com> wrote: > Hi @all, > > I'm planning to read those I-D as they might be useful in a project, > and I'm happy to provide feedback on digest usage. > In general, when building protocols over HTTP it is necessary to take > into account the semantics (eg. range requests, caching, ...) > because reverse proxies, WAF and api gateways implement them: this is > true whether you use digest or other fields. > > Is there a git repo to provide feedback? I hope to do it in the next few > weeks.. > > Have a nice day, > R: > > Il giorno ven 19 feb 2021 alle ore 22:51 Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org> ha scritto: > > > > My inclination is to keep digest[1] out of the base DPoP document. I do > believe that including it would add unneeded complexity to regular old DPoP > (there are some subtleties around digest that make it more complicated than > one might expect) and, from a design philosophy perspective, DPoP has > always aspired to be only a proof-of-possession mechanism in and of itself > and not venture into the realm of HTTP message integrity or general > signatures. > > > > > > [1] Note that the digest header is defined in RFC3230 but there's work > underway to obsolete that RFC with draft-ietf-httpbis-digest-headers-04 > > > > > > On Wed, Feb 17, 2021 at 2:54 PM Justin Richer <jricher@mit.edu> wrote: > >> > >> Two different specifications (GNAP and FAPI signatures) have recently > profiled DPoP to use its signature method to protect a different kind of > protocol entirely. One thing these methods have in common is that they both > define an additional field for holding a digest of the HTTP Message Body: > >> > >> > https://bitbucket.org/openid/fapi/src/master/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md#markdown-header-521-htd-the-digest-of-the-http-request-or-response-body > >> > >> > https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-03.html#name-demonstration-of-proof-of-p > >> > >> Both of these have the same semantics, and we’re changing the name in > GNAP to align with the FAPI one. This begs the question: do we want to just > define this field as an optional component in DPoP instead of having these > profiles do it separately? It would save them from needing to align with > each other, and anyone else from inventing it again. > >> > >> Is it worth defining this in DPoP directly, or does that complicate the > spec too much? I’ve previously raised a similar question on including a > hash of the access token in the DPoP request to the RS. > >> > >> — Justin > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you._______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Digest for DPoP Justin Richer
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell
- Re: [OAUTH-WG] Digest for DPoP Roberto Polli
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell