Re: [Secdispatch] [dispatch] HTTP Request Signing

Mark Nottingham <> Sun, 03 November 2019 22:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C70B120043; Sun, 3 Nov 2019 14:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=W7HH+A3h; dkim=pass (2048-bit key) header.b=oyhuSap/
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id L8n4QV_ieQIY; Sun, 3 Nov 2019 14:28:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 648E612000F; Sun, 3 Nov 2019 14:28:21 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 52C60213CA; Sun, 3 Nov 2019 17:28:19 -0500 (EST)
Received: from mailfrontend1 ([]) by compute3.internal (MEProxy); Sun, 03 Nov 2019 17:28:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=n W0SkntqlbpA2HkAY1i1TK+OxCWg75rW0nGT9HT++Ko=; b=W7HH+A3hjqUDXjQqp lkAmLw4sqJ/LDbPJ6jOWgTXfuGYag1mT8PA2OqpZ7UYTC8a46LEZ0Z//JXNaxT9E qGNC52rwTkNdlsXoB46dMilz1SvYaOZwEzDWwVgEf9hTnQTzeCZzgqHHIOR47s66 vgskeMdmAcD4DZLnW7/bUVJtJoP8gYzTTJm1qGwPQ+PCNI0oxR6SOHlZDyYHX0iP VuAxTAWlhQ7iFaKPGhabs2rEpjkfOmUsn8WzG4aAPTSlHEIS1xVZESXiV61OlLor R0q+b23Szb0zZb5/HFtXiV4HxMU7OS9UpeLGLMOd/lULFqze127rhSCjI/Pn4S4t BC4OA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=nW0SkntqlbpA2HkAY1i1TK+OxCWg75rW0nGT9HT++ Ko=; b=oyhuSap/DZxI2sefPgdezR6aSGr/A6J+qgDDvQLCFGpo+rP8C8BdTP4NX 2cm+nWN3R//YYVn/WIJ3ziCdWRmM+G4Py+mPuXqac9r7bmudbFheUwejn8CzHon/ EgJC8dkHATT/dtekbPW2DXchcP+nBswS0RE7XNm8UhOfQY55v6ta8PTEhbs6Akgk YQ1aCE6sTNDQ+oP5MRK3zs6f1HFWBNXGVfdkSEGMyhqq4GnAvdAOpQRRNOZ/4qF7 VM7+JPWFvMG8TM3dCVaHp0ts+JWar4VjTrtHbSMlBMareiK3SYvl9u3xpAfSAnR4 dJRkmR2jkPc3Dvbn+XPulqdiQqsvg==
X-ME-Sender: <xms:glS_XYnOEFeZgkNy_MX-uItx43cAFmOKJE8ePqygH10cXMp47uGNUg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudduuddgudeihecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuffhomhgrih hnpehhthhtphgtohhmmhhunhhithhivghsrhgvshhpvggtthhivhgvlhihrdhsohdphhht thhpmhgvshhsrghgvghsihhgnhhinhhgtggrphgrsghilhhithihrdgrshdpihgvthhfrd horhhgpdhmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrddvhedunecurfgr rhgrmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvghtnecuvehluhhsthgvrh fuihiivgeptd
X-ME-Proxy: <xmx:glS_XTawOm4ITgsGjLWL4VJaKttJ1skaMvDmn5s1diWN4efu56UykQ> <xmx:glS_Xd7U5CPFr5vnPpt1lmmYSxGh_R6Htdu9-0Fdt26MhFQJfU0EVg> <xmx:glS_Xc9ZKvAHfVMhEAgdFANRp-LS2_d5FtSi2Mk2hTDLtb4Q6wFOgg> <xmx:g1S_XSnWihiPkkrWBrCEB5dIJM--0r5qpnTKTfQGwIeurVQBf5jGxQ>
Received: from (unknown []) by (Postfix) with ESMTPA id DCDD980059; Sun, 3 Nov 2019 17:28:12 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Mon, 4 Nov 2019 09:28:08 +1100
Cc: Justin Richer <>,,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Jeffrey Yasskin <>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Nov 2019 22:28:24 -0000

I understand -- I just want to make sure the discussions are coordinated, not had in isolation.


> On 3 Nov 2019, at 2:18 pm, Jeffrey Yasskin <> wrote:
> That's roughly what I was going to say. :) I'd like to avoid the scope creep of having WPACK take on request signing in addition to, effectively, response signing. It's *possible* that we could define an HTTP header in a general enough way that it would work for both purposes, and attempts to do that, but the problem spaces seem to be different enough that we should have separate groups write down the requirements for each side's signatures before deciding that a single header will work. It's not even clear to me that WPACK is going to end up defining an HTTP header, even though my draft currently does so.
> I'll be sure to attend the request-signing sessions in case they establish that I'm wrong about this.
> Jeffrey
> On Sat, Nov 2, 2019 at 3:39 PM Justin Richer <> wrote:
> Thanks for the pointer to the BoF, I hadn’t seen that one. I am familiar with the draft you linked though: The main difference is that the draft in question is for a signed response, whereas the draft(s) I’ve pointed at are for a signed request. Yes, they ought to be aligned, but the WG in question seems to be much more focused on packaging responses together than dealing with requests. If that new group also wants to take on request signing, then by all means let’s do it there. But it’s not as clean a match as it might seem on the surface, I think.
>  — Justin
> > On Nov 2, 2019, at 12:26 AM, Mark Nottingham <> wrote:
> > 
> > Hi Justin,
> > 
> > It's worth noting that there's a Working Group forming BoF, wpack, being held in Singapore about a draft with similar goals:
> >
> > 
> > In particular, both this draft and Jeffrey's propose the Signature HTTP header field, and seem to have at least partially overlapping use cases.
> > 
> > If possible, it'd be good to avoid duplication of effort -- especially in terms of evaluating security properties and "fit" into HTTP by the security and HTTP communities, respectively. So, I'd suggest bringing it up there instead.
> > 
> > Cheers,  
> > 
> > 
> >> On 2 Nov 2019, at 8:59 am, Justin Richer <> wrote:
> >> 
> >> I would like to present and discuss HTTP Request signing at both the DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has been floating around for years now and has been adopted by a number of different external groups and efforts:
> >> 
> >>
> >> 
> >> I’ve spoken with the authors of the draft and we’d like to find out how to bring this forward to publication within the IETF. I’m targeting both dispatch groups because this represents the intersection of both areas, and I think we’d get different perspectives from each side that we should consider. 
> >> 
> >> There have been a number of other drafts that have approached HTTP request signing as well (I’ve written two of them myself), but none has caught on to date and none have made it to RFC. Lately, though, I’ve been seeing a lot of renewed effort in different sectors, and in particular the financial sector and cloud services, to have a general purpose HTTP message signing capability. As such, I think it’s time to push something forward. 
> >> 
> >> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to request a presentation slot.
> >> 
> >> Thank you, and I’ll see you all in Singapore!
> >> — Justin
> >> _______________________________________________
> >> dispatch mailing list
> >>
> >>
> > 
> > --
> > Mark Nottingham
> > 
> _______________________________________________
> dispatch mailing list

Mark Nottingham