Re: [OAUTH-WG] Digest for DPoP
Roberto Polli <robipolli@gmail.com> Fri, 19 February 2021 22:43 UTC
Return-Path: <robipolli@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C0A93A0C6A for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 14:43:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekHFD4-5A-yU for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 14:43:33 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BA2A3A0C64 for <oauth@ietf.org>; Fri, 19 Feb 2021 14:43:33 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id i8so7290574iog.7 for <oauth@ietf.org>; Fri, 19 Feb 2021 14:43:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1ryNWNEfrFUC1tk5dEwSVJf3tKcPyULJ3PsjZIj8VsQ=; b=jiOBlTQ8TErkgN1fAaTMDdfxkgh9eotBWebbRAwBJo+8hyeqR73Pjla2/JgB0pEDHy dMoKQvoFpuDKkdz+PnpWO+Vm3HSdlogNNEzdnSQHzDnCgPP/CMn5Wax8n53TRMwGsmil y4J5N7YM/1PdgtuqAWB/M3yjXhFxTJqOxizU/4rkU0JSMi/w/rk05/9ASG2e11b0pQG7 GHjtE8SRRAPGVNf6Ly1oROOVOIv4BBpUfz507KotYlox896pyTNKS/nQeZ/SoIO3vKtk YnxE3dC831c/X3BJVKmmjwr+aVhfDXDMZvAdRXbfETIpGuPcBgGzxcMZp3CWFgQqmnO/ UKfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1ryNWNEfrFUC1tk5dEwSVJf3tKcPyULJ3PsjZIj8VsQ=; b=fxecPxyWSaYjbvYuUp91b3ceeJoB5p3JfoX2lNB1xT2OuTgoUbqeY9YedTTghqmb8m JWOSc13SSnZyg6heurJ6g0awbd9cWxFM/0Ej6bumTBwg3+SWk4T/pjZo3PSXnFNX6oJO +fcjaxIKQ57snaZEo3P07Xuf7rrEdk3Pf3j47wGyOUdhzehdRCWlToz3pjQvZf+lfend QhXf57q33z0036KiyikPFKh0EmrKy39IX6puVOpSh80hPCvpTAx3UjFil2nN/Eu2BJ4b eC6jKAipSvMMx/4Dxe9g8e81/RCYU1Xb7002k+fLBwZDJTsU55G4iXv7fL9/L5k/GNF3 DmCw==
X-Gm-Message-State: AOAM530Eh4W5k23/uH6GbPteVZjYKq9u9+5PhR1TDxreITNBj6IIYcdb 9zU48KseGouYlyeWAJxqQbdhIz+QXnC/teGnTkY=
X-Google-Smtp-Source: ABdhPJzrL2vNOg09JSE481OGpp9dOeMoDbbvM8a5iuTrGtvMmmLsstCzatOloxbruWRFpry49NxzHA3hCtFC3/p+ahk=
X-Received: by 2002:a02:cbcf:: with SMTP id u15mr11898323jaq.131.1613774612531; Fri, 19 Feb 2021 14:43:32 -0800 (PST)
MIME-Version: 1.0
References: <5A5EEBCB-0075-4F9E-B943-E6F142A6E84C@mit.edu> <CA+k3eCSZgn_8DrUbZvDpPSsvEy1U_whWGMf-YDoUTXc8e9bMVg@mail.gmail.com>
In-Reply-To: <CA+k3eCSZgn_8DrUbZvDpPSsvEy1U_whWGMf-YDoUTXc8e9bMVg@mail.gmail.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Fri, 19 Feb 2021 23:43:21 +0100
Message-ID: <CAP9qbHWbWkqvBSM62D9jCiJkYgFe3j-yzcpPw4EjOnARHrOivA@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/scLTF64jTR-OJ8Lap5rKWkySAIs>
Subject: Re: [OAUTH-WG] Digest for DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 22:43:35 -0000
Hi @all, I'm planning to read those I-D as they might be useful in a project, and I'm happy to provide feedback on digest usage. In general, when building protocols over HTTP it is necessary to take into account the semantics (eg. range requests, caching, ...) because reverse proxies, WAF and api gateways implement them: this is true whether you use digest or other fields. Is there a git repo to provide feedback? I hope to do it in the next few weeks.. Have a nice day, R: Il giorno ven 19 feb 2021 alle ore 22:51 Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> ha scritto: > > My inclination is to keep digest[1] out of the base DPoP document. I do believe that including it would add unneeded complexity to regular old DPoP (there are some subtleties around digest that make it more complicated than one might expect) and, from a design philosophy perspective, DPoP has always aspired to be only a proof-of-possession mechanism in and of itself and not venture into the realm of HTTP message integrity or general signatures. > > > [1] Note that the digest header is defined in RFC3230 but there's work underway to obsolete that RFC with draft-ietf-httpbis-digest-headers-04 > > > On Wed, Feb 17, 2021 at 2:54 PM Justin Richer <jricher@mit.edu> wrote: >> >> Two different specifications (GNAP and FAPI signatures) have recently profiled DPoP to use its signature method to protect a different kind of protocol entirely. One thing these methods have in common is that they both define an additional field for holding a digest of the HTTP Message Body: >> >> https://bitbucket.org/openid/fapi/src/master/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md#markdown-header-521-htd-the-digest-of-the-http-request-or-response-body >> >> https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-03.html#name-demonstration-of-proof-of-p >> >> Both of these have the same semantics, and we’re changing the name in GNAP to align with the FAPI one. This begs the question: do we want to just define this field as an optional component in DPoP instead of having these profiles do it separately? It would save them from needing to align with each other, and anyone else from inventing it again. >> >> Is it worth defining this in DPoP directly, or does that complicate the spec too much? I’ve previously raised a similar question on including a hash of the access token in the DPoP request to the RS. >> >> — Justin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Digest for DPoP Justin Richer
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell
- Re: [OAUTH-WG] Digest for DPoP Roberto Polli
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell