Re: [Secdispatch] [dispatch] HTTP Request Signing

Justin Richer <> Tue, 05 November 2019 16:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D4FA612022C; Tue, 5 Nov 2019 08:56:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uG3uoUyHgHhu; Tue, 5 Nov 2019 08:55:57 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93E5E120142; Tue, 5 Nov 2019 08:55:57 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id xA5GtsPB030527 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Nov 2019 11:55:55 -0500
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_963E0474-49E8-4133-8051-6DF13C7B688D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 5 Nov 2019 11:55:54 -0500
In-Reply-To: <>
To: Mary Barnes <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Nov 2019 16:56:03 -0000

A number of the people involved with implementing the drafts that I’d like to present are involved in IETF in different places, but none for pushing this draft to date. If this work finds a home, I think we’d be able to get a lot of that external community to participate in whatever list ends up hosting the work. 

I’m fine with presenting at only one of DISPATCH or SECDISPATCH instead of both, but since this sits squarely at the intersection of the two communities it might make sense for me to just introduce the concept (~1 min) at whatever meeting I’m not giving a full presentation at. 

 — Justin

> On Nov 4, 2019, at 3:02 PM, Mary Barnes <> wrote:
> Personally, I'd rather not have the presentation twice, recognizing of course, that not everyone would be able to attend one or the other. But, we will have recordings and as is oft stated, ultimately decisions happen on mailing lists.  And, I appreciate and agree with Jeffrey not wanting feature creep in WPACK.  One objective of DISPATCH has been to ensure that work that is chartered is discrete enough to finish in a timely manner.   
> You mention other communities that are interested in this.  Will they be participating or have they participated in IETF?    It's hard for chairs to judge consensus to work on something when the communities interested in the work are not participating in IETF.  Mailing list participation is sufficient.  
> DISPATCH agenda is pretty full right now, so this would have to fall into AOB at this juncture if ADs and my WG co-chair agree that we should discuss in DISPATCH.  And, perhaps whether it gets a few minutes in SECdispatch might be informed on how it goes in DISPATCH, if we have a chance to discuss it, since you need the agreement that this is a problem IETF should solve from both areas.
> Regards,
> Mary
> DISPATCH WG co-chair
> On Fri, Nov 1, 2019 at 5:00 PM Justin Richer < <>> wrote:
> I would like to present and discuss HTTP Request signing at both the DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has been floating around for years now and has been adopted by a number of different external groups and efforts:
> <>
> I’ve spoken with the authors of the draft and we’d like to find out how to bring this forward to publication within the IETF. I’m targeting both dispatch groups because this represents the intersection of both areas, and I think we’d get different perspectives from each side that we should consider. 
> There have been a number of other drafts that have approached HTTP request signing as well (I’ve written two of them myself), but none has caught on to date and none have made it to RFC. Lately, though, I’ve been seeing a lot of renewed effort in different sectors, and in particular the financial sector and cloud services, to have a general purpose HTTP message signing capability. As such, I think it’s time to push something forward. 
> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to request a presentation slot.
> Thank you, and I’ll see you all in Singapore!
>  — Justin
> _______________________________________________
> dispatch mailing list
> <>
> <>