Re: [Secdispatch] [dispatch] HTTP Request Signing

Mary Barnes <mary.ietf.barnes@gmail.com> Mon, 04 November 2019 20:03 UTC

Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84F312006B; Mon, 4 Nov 2019 12:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0NcKLD9oTKA; Mon, 4 Nov 2019 12:03:01 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AAA1120052; Mon, 4 Nov 2019 12:03:01 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id y127so13219153lfc.0; Mon, 04 Nov 2019 12:03:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yQQ4dbUoHkiq69GcEk+aBQottjn0ebD5aX4sAMqNaS4=; b=JNlfG0SxUQnlQRrzSMSv7Tswo2Hzc2UIAUkJ0sc72+4Xsrz4rD1sOejd4QcnUwLft4 gbOuOoSB4eu2mu9bGXguZfcsYEyYa7FG/k2B5YdDgmOplZc0RE7F148vf9S9/CZIIpKB juxuCrArS3UF+IswAk73yG7zuVLZEzf/eje9ou6OhGW2RcaRk5AGkkEIyQ1LMX3ZJuTt ost/VIXOPwRZxcRFsnef74Eg0EJapfMQyiR+bzkjSEHlGh6YRDz25aetqwzhW2dy0Qh0 vuCOPdiutbmIBOOLCpELn+NodF9fY3zWxoq6VvquRqx1O3sKG3ON4Qsaw8gFzjmBTRGI 0x9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yQQ4dbUoHkiq69GcEk+aBQottjn0ebD5aX4sAMqNaS4=; b=ZIP5kR6AmfT3D/6S5TT/8r9Pb6JIMl0TT301Qf0PMJ56SFxyKmn2iKVmSEfSy/nPRd KTyoIYl3Rta2xB46QEIgbV5Kud2M7QBatoTULSLFmlU3NOM03KZntK39VU0XPKX4zvYm 2VHCh4Q3L/ZHOMA9tpRfnzNlTXNP9ugJ5HDHVg/BMK5F7hMhN033EZl/IXTU7PT0BTN9 YPY2ctRoNZU6s11K8wHKw2Q5d0SrsPzmtU3bXjI9hP3UXGE3GHDvF6KZH7FdJ3k7p0Og mwieGX6TljjSPOjoBFtms3HxokHe4NG89koejljvLF/NDzlrrou0LR+k0xNEvPBL03lp zx4w==
X-Gm-Message-State: APjAAAVvlLQtipK6JrsWdCKHc2eRVNjr+gHzIaryzoXp0U6RrIVL4CMr E6nkL/FWCeg56jIugD+llva56llRIrOHkkz24B0=
X-Google-Smtp-Source: APXvYqws482bGzOV3phxcGuZqKRlzOh6ztdCvWVhJ9BPKmzUdvsECSMYHCRX/sy2hGSh4UktAonBjQOcEglfKcUOAU0=
X-Received: by 2002:a19:6f0e:: with SMTP id k14mr18064004lfc.34.1572897779312; Mon, 04 Nov 2019 12:02:59 -0800 (PST)
MIME-Version: 1.0
References: <E53D0610-2A30-483E-9BF5-BC83E7BC2CBF@mit.edu>
In-Reply-To: <E53D0610-2A30-483E-9BF5-BC83E7BC2CBF@mit.edu>
From: Mary Barnes <mary.ietf.barnes@gmail.com>
Date: Mon, 4 Nov 2019 14:02:47 -0600
Message-ID: <CAHBDyN5-Hj-Hsr_r7V4QWNBB7eeunSdN0YLAVROuq1LqJEERBA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: DISPATCH <dispatch@ietf.org>, secdispatch@ietf.org
Content-Type: multipart/alternative; boundary="00000000000067733c05968acd53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Ci0zFDYkewFFDDnxGLogSrPOHSk>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 20:03:04 -0000

Personally, I'd rather not have the presentation twice, recognizing of
course, that not everyone would be able to attend one or the other. But, we
will have recordings and as is oft stated, ultimately decisions happen on
mailing lists.  And, I appreciate and agree with Jeffrey not wanting
feature creep in WPACK.  One objective of DISPATCH has been to ensure that
work that is chartered is discrete enough to finish in a timely manner.

You mention other communities that are interested in this.  Will they be
participating or have they participated in IETF?    It's hard for chairs to
judge consensus to work on something when the communities interested in the
work are not participating in IETF.  Mailing list participation is
sufficient.

DISPATCH agenda is pretty full right now, so this would have to fall into
AOB at this juncture if ADs and my WG co-chair agree that we should discuss
in DISPATCH.  And, perhaps whether it gets a few minutes in SECdispatch
might be informed on how it goes in DISPATCH, if we have a chance to
discuss it, since you need the agreement that this is a problem IETF should
solve from both areas.

Regards,
Mary
DISPATCH WG co-chair


On Fri, Nov 1, 2019 at 5:00 PM Justin Richer <jricher@mit.edu> wrote:

> I would like to present and discuss HTTP Request signing at both the
> DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has
> been floating around for years now and has been adopted by a number of
> different external groups and efforts:
>
> https://tools.ietf.org/html/draft-cavage-http-signatures
>
> I’ve spoken with the authors of the draft and we’d like to find out how to
> bring this forward to publication within the IETF. I’m targeting both
> dispatch groups because this represents the intersection of both areas, and
> I think we’d get different perspectives from each side that we should
> consider.
>
> There have been a number of other drafts that have approached HTTP request
> signing as well (I’ve written two of them myself), but none has caught on
> to date and none have made it to RFC. Lately, though, I’ve been seeing a
> lot of renewed effort in different sectors, and in particular the financial
> sector and cloud services, to have a general purpose HTTP message signing
> capability. As such, I think it’s time to push something forward.
>
> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to
> request a presentation slot.
>
> Thank you, and I’ll see you all in Singapore!
>  — Justin
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>