IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-00.txt

Justin Richer <jricher@mit.edu> Mon, 22 December 2014 12:33 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A041A8A9B for <oauth@ietfa.amsl.com>; Mon, 22 Dec 2014 04:33:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.71
X-Spam-Level:
X-Spam-Status: No, score=-3.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjeP0WvlSkVI for <oauth@ietfa.amsl.com>; Mon, 22 Dec 2014 04:33:28 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F418F1A8A95 for <oauth@ietf.org>; Mon, 22 Dec 2014 04:33:27 -0800 (PST)
X-AuditID: 1209190d-f79006d000000cfe-28-54980f96c44e
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id F3.B5.03326.69F08945; Mon, 22 Dec 2014 07:33:26 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id sBMCXPSX021796; Mon, 22 Dec 2014 07:33:26 -0500
Received: from [IPv6:2607:fb90:2909:2fa:0:1e:2ed9:d201] ([172.56.23.73]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sBMCXNf0028983 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 22 Dec 2014 07:33:25 -0500
Date: Mon, 22 Dec 2014 07:33:22 -0500
Message-ID: <0j3djshkn5mba4hl4yvgn6r6.1419251602904@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Sergey Beryozkin <sberyozkin@gmail.com>, oauth@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_5133150833291170"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRmVeSWpSXmKPExsUixG6nojuNf0aIwZblqhYn375is/i31N6B yWPnrLvsHkuW/GQKYIrisklJzcksSy3St0vgyvj1RK3gl3PFw1fL2BsYG5y6GDk5JARMJI7t v8wCYYtJXLi3nq2LkYtDSGAxk8S1w49YIJyNjBLTr91khHB2MUlMezgDrIVFQFXiz9EWZhBb WKBMYtvhHiYQm1fATeLLoTdADRwcnAJCEl27JEDCbEDl09e0gJWICFhL3Hg8nRGiXFDi5Mwn YCOZBUIl2ma2ME9g5J2FJDULSQrCVpf4M+8SlK0oMaX7IfssoG3MAmoSy1qVkIUXMLKtYpRN ya3SzU3MzClOTdYtTk7My0st0jXSy80s0UtNKd3ECApRTkneHYzvDiodYhTgYFTi4eVImx4i xJpYVlyZe4hRkoNJSZT3LPeMECG+pPyUyozE4oz4otKc1OJDjBIczEoivIc/A5XzpiRWVqUW 5cOkpDlYlMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnw8vIBDRUsSk1PrUjLzClBSDNxcIIM 5wEangxSw1tckJhbnJkOkT/FqCglzusAkhAASWSU5sH1wlLIK0ZxoFeEeVeBVPEA0w9c9yug wUxAg6VugVxdXJKIkJJqYFzync/eMcnAvDpu2/Lk5JfGDlnKMpE2sTrnigJd9O4x+FTUryuJ l6nivPA+RlOi7WueeX9rubzE3O+yKwtXVn1/cPnp/beHF1Y96NypOO3PDxaX0pW//9YZzn5V lXiUo/L7pb5761aGXWHem/8+TbiW/bdBj/2y7wsNXhScKpA4Hnp5R39ashJLcUaioRZzUXEi ABwxBjL8AgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/gWoErIaW2SzaxuYJKzF5_Y-lTXg
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 12:33:30 -0000

That's easy: any headers. That's why the signer specifies which ones. Would be good to have since guidance tough, and examples. 


-- Justin

/ Sent from my phone /


-------- Original message --------
From: Sergey Beryozkin <sberyozkin@gmail.com> 
Date:12/22/2014  7:08 AM  (GMT-05:00) 
To: oauth@ietf.org 
Cc:  
Subject: Re: [OAUTH-WG] I-D Action:
 	draft-ietf-oauth-signed-http-request-00.txt 

Hi Justin

I see a fair bit of interest toward this work now being shown from my 
colleagues; it would help if the next draft could clarify which HTTP 
headers can be signed given it is difficult to get hold of some of HTTP 
headers typically created by a low level HTTP transport component.

Thanks, Sergey

On 21/07/14 14:58, internet-drafts@ietf.org wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>   This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>
>          Title           : A Method for Signing an HTTP Requests for OAuth
>          Authors         : Justin Richer
>                            John Bradley
>                            Hannes Tschofenig
> Filename        : draft-ietf-oauth-signed-http-request-00.txt
> Pages           : 11
> Date            : 2014-07-21
>
> Abstract:
>     This document a method for offering data origin authentication and
>     integrity protection of HTTP requests.  To convey the relevant data
>     items in the request a JSON-based encapsulation is used and the JSON
>     Web Signature (JWS) technique is re-used.  JWS offers integrity
>     protection using symmetric as well as asymmetric cryptography.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
>
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-00
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email