Re: [OAUTH-WG] [http-auth] Review Request for third draft of "Signing HTTP Messages"
Justin Richer <jricher@MIT.EDU> Tue, 13 May 2014 15:33 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4131A00B2 for <oauth@ietfa.amsl.com>; Tue, 13 May 2014 08:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1SAx-nKAoUP for <oauth@ietfa.amsl.com>; Tue, 13 May 2014 08:33:10 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) by ietfa.amsl.com (Postfix) with ESMTP id 5472E1A0102 for <oauth@ietf.org>; Tue, 13 May 2014 08:33:07 -0700 (PDT)
X-AuditID: 12074424-f79546d000000c5e-75-53723b2cff05
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 2C.AE.03166.C2B32735; Tue, 13 May 2014 11:33:00 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s4DFWxFx011528; Tue, 13 May 2014 11:32:59 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4DFWuGN005063 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 13 May 2014 11:32:58 -0400
Content-Type: multipart/signed; boundary="Apple-Mail=_22B870BD-48C0-469B-9EDA-D384E0FA2B6E"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <53710BF9.7090701@gmx.net>
Date: Tue, 13 May 2014 11:32:53 -0400
Message-Id: <750D6D1F-AF43-4A8D-A377-65723AE422F1@mit.edu>
References: <536BFA23.9020900@digitalbazaar.com> <DBFBB4EC-B16E-4911-9BC4-3443BAA44704@oracle.com> <53710BF9.7090701@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1874)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrPKsWRmVeSWpSXmKPExsUixG6nrqtjXRRs0HjB3GLpznusFiffvmKz WDC/kd2B2WPxpv1sHkuW/GTy+Pj0FksAcxSXTUpqTmZZapG+XQJXRvPSt2wFd7Qq5u98ztzA OEWli5GTQ0LAROLStD5WCFtM4sK99WxdjFwcQgKzmSS+XO6BcjYySrztn84MUiUkcJNJYuaK MJAEs8AkRolHN/rZQBK8AnoSTWsmMoHYwgKxEn8unGAEsdkEVCXmr7wFFucUUJc4N+kb2CAW oPjlp9fYQWxmAXuJaasbgOIcQHOsJPo3JEHsqpU4dm01WLmIgKHE9ZnToS6VlXj0oYllAqPA LGRnzEJyxiywsdoSyxa+ZoawDSSedr5ihbDlJba/nQMVt5RYPPMGC4RtK3GrbwFUr53Eo2mL WBcwcqxilE3JrdLNTczMKU5N1i1OTszLSy3SNdfLzSzRS00p3cQIjhsXlR2MzYeUDjEKcDAq 8fD+eFEQLMSaWFZcmXuIUZKDSUmUd5VpUbAQX1J+SmVGYnFGfFFpTmrxIUYVoF2PNqy+wCjF kpefl6okwvtZD6iONyWxsiq1KB+mTJqDRUmc9621VbCQQHpiSWp2ampBahFMVoaDQ0mCt8oK qFGwKDU9tSItM6cEIc3EwXmIUYKDB2h4NkgNb3FBYm5xZjpE/hSjopQ4rwRIQgAkkVGaB9cL S3evGMWB3hLmbQWp4gGmSrjuV0CDmYAGW0nngwwuSURISTUwrpj7VVI1eoeC0ZonCdZ3Su6u XlxxPafaYt6Thlq+qj9NgkvfCDcnTX16P9rooZh6fOg+eYtF/q/3331yo0hfzjFkmfVpxtXK N/TimZtUC/UuVKq0rPX4/Ellyqm/h9sOVxS+CJrqY2HYVbvne/vl7zeObc/hihb+vmL7+RM8 L66F28W9eiFhqcRSnJFoqMVcVJwIAIwHmQRSAwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jK21EO4tIbTqjXV5fhGNogmk27M
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [http-auth] Review Request for third draft of "Signing HTTP Messages"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 15:33:12 -0000
They’re similar in that they both take elements from the HTTP message and create a signature on them, and they use the same “list the order of the elements” trick to avoid normalization to a large extent. The main difference is that my draft uses JWS as the signature (and ultimately transport) mechanism and the Cavage draft (and the AWS method it is born from, as I understand it) uses a new HTTP auth header format, much like OAuth 1.0 and the (old, dusty, abandoned, can-we-stop-bringing-it-up) MAC draft. My original (unpublished) version of the draft didn’t actually specify or care how you got the key, as I think that HTTP signing is a general mechanism. That said, there seems to be a lot of interest in solving this case that OAuth 1.0 managed to get somewhat right-ish. — Justin On May 12, 2014, at 1:59 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Conceptually, draft-cavage-http-signatures-02 is the same as OAuth 1.0. > Therefore, the symmetric key part of the document is the same as the MAC > token. > > Not quite sure why the authors have not read the OAuth work. > > On 05/09/2014 01:22 AM, Phil Hunt wrote: >> How does this compare with justin's draft? >> >> Phil >> >> Begin forwarded message: >> >>> *From:* Manu Sporny <msporny@digitalbazaar.com >>> <mailto:msporny@digitalbazaar.com>> >>> *Date:* May 8, 2014 at 14:41:55 PDT >>> *To:* IETF HTTP Auth <http-auth@ietf.org <mailto:http-auth@ietf.org>> >>> *Cc:* Julian Reschke <julian.reschke@gmx.de >>> <mailto:julian.reschke@gmx.de>>, Mark Nottingham <mnot@mnot.net >>> <mailto:mnot@mnot.net>>, Web Payments CG <public-webpayments@w3.org >>> <mailto:public-webpayments@w3.org>> >>> *Subject:* *[http-auth] Review Request for third draft of "Signing >>> HTTP Messages"* >>> >>> After feedback from Mark Nottingham[1], Julian Reschke[2], folks in the >>> HTTP Auth WG, and people in the Web Payments CG, we've modified the HTTP >>> Signatures specification in the following ways: >>> >>> 1. The specification has been renamed to "Signing HTTP Messages". >>> 2. The specification now covers both a signature-based Authorization >>> mechanism (client-to-server) as well as a general mechanism to sign >>> HTTP messages (client-to-server and server-to-client). >>> 3. A new "Signature" header has been introduced. >>> 4. The layout has been modified heavily to streamline the information >>> conveyed in the spec. >>> 5. New registries have been created for the algorithms referred to in >>> the specification. >>> 6. We're now more specific in the way certain canonicalizations are >>> performed. >>> 7. More examples have been added, including how to digitally sign >>> the body of an HTTP message. >>> >>> The basic mechanism of generating the signatures has not changed (and >>> has been stable for over a year). >>> >>> The newest spec can be found here: >>> >>> http://tools.ietf.org/html/draft-cavage-http-signatures-02 >>> >>> The diff is here: >>> >>> http://tools.ietf.org/rfcdiff?url2=draft-cavage-http-signatures-02.txt >>> >>> Matt, Yoav, Kathleen, if there are no show stopping review comments, I'd >>> like to push this spec onto the RFC track in the HTTP Auth WG, or >>> HTTPbis/2 WG. It'll be ready for a LC in a month or two. I realize that >>> HTTP Auth may be shutting down next month, so what's the next step to >>> get the HTTP Signatures spec further down the IETF RFC track? >>> >>> -- manu >>> >>> [1] >>> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0038.html >>> [2] >>> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0036.html >>> >>> -- >>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) >>> Founder/CEO - Digital Bazaar, Inc. >>> blog: The Marathonic Dawn of Web Payments >>> http://manu.sporny.org/2014/dawn-of-web-payments/ >>> >>> _______________________________________________ >>> http-auth mailing list >>> http-auth@ietf.org <mailto:http-auth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/http-auth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: [http-auth] Review Request for th… Phil Hunt
- Re: [OAUTH-WG] Fwd: [http-auth] Review Request fo… Hannes Tschofenig
- Re: [OAUTH-WG] [http-auth] Review Request for thi… Justin Richer
- Re: [OAUTH-WG] [http-auth] Review Request for thi… Bill Mills