Re: [Secdispatch] [dispatch] HTTP Request Signing

Kathleen Moriarty <> Tue, 05 November 2019 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 872B11200C3; Tue, 5 Nov 2019 08:59:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dUu0j4b7uZdi; Tue, 5 Nov 2019 08:59:53 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6576E12001A; Tue, 5 Nov 2019 08:59:53 -0800 (PST)
Received: by with SMTP id d5so6193051otp.4; Tue, 05 Nov 2019 08:59:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=q/lyxPHHDnq0KjQHvOabgH4P24NT8XbqTXbIexihDkg=; b=OJr4qiz3Km6UtY2h9rMi9nv4J603ANkdZOt2AUYWEHo4evc5QKDnmizMN+PE6yQzzx lLxjxB7LQQQfWQ6hse0tyhxNtQPdkIyVLd6XS1g93xJgbcN6/uN+bbofqYN6aDpzjv8a Y54sAsad9p9cIGwXrtJnFJolD+gryTUK1FVfkhjXSCUhXA4z9EhoXHSFgOzX3FtHVPXa A/EAfJEdzraUbXM0vdt5SMajUKU5TMfXzU4gJoglY6Zj97N+azmeTCrZYeNCyf1Cbp++ 92c+p/bI19aqh+VS1oHEmwAJhZAjse1dffgvYe0Pk9iilQrwVP3MJXm9tkY0OYuf5YAW zrnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=q/lyxPHHDnq0KjQHvOabgH4P24NT8XbqTXbIexihDkg=; b=qYvFcD6UqrVHftPe05wHcPTGGeoB5pe+O1HB/GhS4/61+DZ4VKtFp8fKzkZ0tPQs9O r553nOjl+7kcyo+wWBWcFMILhlRFOaWW5DYp24IJr5p4EnBQcQKiU7kz+ne4KStiaIUt NqQDsFaZP4rfEZafrX7yucH51Qr+cISRCYgHtiy7vQtwTEJH0D+SLPyetjPFeAsuOEli s4FKiKix/lH9C8uXwkwLNnVeg8UOB9g3JXJ3dQ7mXC1VDBVSYVrIvg+CBgz9huHHqstq BJrtGxs3YQRNrQi6V+yulYSpLW1YwbGS+o4iW6rk8qxsS0WAuD2JeMcFOZh7wvVuLUUG ON+g==
X-Gm-Message-State: APjAAAX2sl6x3p2sSXSdJfG7bDhpDonqfZiJB1KDAm/qGpGeQYrc9U8j dD/m8s59zW0fLn+2xhRTF14Qr1DEERoOgD2Gh44=
X-Google-Smtp-Source: APXvYqzvSU19SHxlufPL5lFK8qIRAVJra3Aj32YrfeSDMTdWlIpjf3vdsImZE/opeYRe97L9LyeGAnRIZifHOBMkxGA=
X-Received: by 2002:a05:6830:210e:: with SMTP id i14mr9209640otc.250.1572973192436; Tue, 05 Nov 2019 08:59:52 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Kathleen Moriarty <>
Date: Tue, 5 Nov 2019 11:59:15 -0500
Message-ID: <>
To: Justin Richer <>
Cc: Mary Barnes <>, DISPATCH <>, IETF SecDispatch <>
Content-Type: multipart/alternative; boundary="00000000000060612b05969c5c13"
Archived-At: <>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Nov 2019 16:59:57 -0000

We have the time at SecDispatch, so should I just add it
considering DISPATCH has a full agenda?

Best regards,

On Tue, Nov 5, 2019 at 11:56 AM Justin Richer <> wrote:

> A number of the people involved with implementing the drafts that I’d like
> to present are involved in IETF in different places, but none for pushing
> this draft to date. If this work finds a home, I think we’d be able to get
> a lot of that external community to participate in whatever list ends up
> hosting the work.
> I’m fine with presenting at only one of DISPATCH or SECDISPATCH instead of
> both, but since this sits squarely at the intersection of the two
> communities it might make sense for me to just introduce the concept (~1
> min) at whatever meeting I’m not giving a full presentation at.
>  — Justin
> On Nov 4, 2019, at 3:02 PM, Mary Barnes <>
> wrote:
> Personally, I'd rather not have the presentation twice, recognizing of
> course, that not everyone would be able to attend one or the other. But, we
> will have recordings and as is oft stated, ultimately decisions happen on
> mailing lists.  And, I appreciate and agree with Jeffrey not wanting
> feature creep in WPACK.  One objective of DISPATCH has been to ensure that
> work that is chartered is discrete enough to finish in a timely manner.
> You mention other communities that are interested in this.  Will they be
> participating or have they participated in IETF?    It's hard for chairs to
> judge consensus to work on something when the communities interested in the
> work are not participating in IETF.  Mailing list participation is
> sufficient.
> DISPATCH agenda is pretty full right now, so this would have to fall into
> AOB at this juncture if ADs and my WG co-chair agree that we should discuss
> in DISPATCH.  And, perhaps whether it gets a few minutes in SECdispatch
> might be informed on how it goes in DISPATCH, if we have a chance to
> discuss it, since you need the agreement that this is a problem IETF should
> solve from both areas.
> Regards,
> Mary
> DISPATCH WG co-chair
> On Fri, Nov 1, 2019 at 5:00 PM Justin Richer <> wrote:
>> I would like to present and discuss HTTP Request signing at both the
>> DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has
>> been floating around for years now and has been adopted by a number of
>> different external groups and efforts:
>> I’ve spoken with the authors of the draft and we’d like to find out how
>> to bring this forward to publication within the IETF. I’m targeting both
>> dispatch groups because this represents the intersection of both areas, and
>> I think we’d get different perspectives from each side that we should
>> consider.
>> There have been a number of other drafts that have approached HTTP
>> request signing as well (I’ve written two of them myself), but none has
>> caught on to date and none have made it to RFC. Lately, though, I’ve been
>> seeing a lot of renewed effort in different sectors, and in particular the
>> financial sector and cloud services, to have a general purpose HTTP message
>> signing capability. As such, I think it’s time to push something forward.
>> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to
>> request a presentation slot.
>> Thank you, and I’ll see you all in Singapore!
>>  — Justin
>> _______________________________________________
>> dispatch mailing list
> _______________________________________________
> Secdispatch mailing list


Best regards,