Re: [Secdispatch] [dispatch] HTTP Request Signing

Adam Roach <> Tue, 05 November 2019 19:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EDC48120AE9; Tue, 5 Nov 2019 11:43:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.279
X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id afmNvmOUVrUg; Tue, 5 Nov 2019 11:43:10 -0800 (PST)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E916120AB5; Tue, 5 Nov 2019 11:43:10 -0800 (PST)
Received: from Svantevit.local ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id xA5Jh5bI088661 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 5 Nov 2019 13:43:07 -0600 (CST) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1572982988; bh=68db0cZo867PbSAwMiTTcmRl4TekzR2+H/3ilrUY/Hk=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=GZRWVfr0RrNPqAtEBN6COySzEyo2h8BHYYoygS1yG+nqdu6BwYZIp4V62G8n4o+yG Uxp1GMGRBQTI5P1DLdmrkCPJ7Ex2cTWjzrQDQ7BeKDG7NIdBoj1M56Dl+ulmB/OoGU vz4rRArwHMUjriDeGCH51fGmH+2m5nqWR/PSRL+o=
X-Authentication-Warning: Host [] claimed to be Svantevit.local
To: Kathleen Moriarty <>, Justin Richer <>
Cc: DISPATCH <>, IETF SecDispatch <>
References: <> <> <> <>
From: Adam Roach <>
Message-ID: <>
Date: Tue, 5 Nov 2019 13:43:00 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------7048C49F4FD1DE109B9F8519"
Content-Language: en-US
Archived-At: <>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Nov 2019 19:43:12 -0000

Given that DISPATCH meets in the first Monday morning slot, I think this 
plan makes the most sense. Justin (or the DISPATCH chairs) can give a 
very short description of the purpose of the proposed mechanism, and let 
interested parties know that the discussion will take place in SECDISPATCH.


On 11/5/19 10:59 AM, Kathleen Moriarty wrote:
> We have the time at SecDispatch, so should I just add it 
> considering DISPATCH has a full agenda?
> Best regards,
> Kathleen
> On Tue, Nov 5, 2019 at 11:56 AM Justin Richer < 
> <>> wrote:
>     A number of the people involved with implementing the drafts that
>     I’d like to present are involved in IETF in different places, but
>     none for pushing this draft to date. If this work finds a home, I
>     think we’d be able to get a lot of that external community to
>     participate in whatever list ends up hosting the work.
>     I’m fine with presenting at only one of DISPATCH or SECDISPATCH
>     instead of both, but since this sits squarely at the intersection
>     of the two communities it might make sense for me to just
>     introduce the concept (~1 min) at whatever meeting I’m not giving
>     a full presentation at.
>      — Justin
>>     On Nov 4, 2019, at 3:02 PM, Mary Barnes
>>     < <>>
>>     wrote:
>>     Personally, I'd rather not have the presentation twice,
>>     recognizing of course, that not everyone would be able to attend
>>     one or the other. But, we will have recordings and as is oft
>>     stated, ultimately decisions happen on mailing lists.  And, I
>>     appreciate and agree with Jeffrey not wanting feature creep in
>>     WPACK.  One objective of DISPATCH has been to ensure that work
>>     that is chartered is discrete enough to finish in a timely manner.
>>     You mention other communities that are interested in this.  Will
>>     they be participating or have they participated in IETF?    It's
>>     hard for chairs to judge consensus to work on something when the
>>     communities interested in the work are not participating in
>>     IETF.  Mailing list participation is sufficient.
>>     DISPATCH agenda is pretty full right now, so this would have to
>>     fall into AOB at this juncture if ADs and my WG co-chair agree
>>     that we should discuss in DISPATCH.  And, perhaps whether it gets
>>     a few minutes in SECdispatch might be informed on how it goes in
>>     DISPATCH, if we have a chance to discuss it, since you need the
>>     agreement that this is a problem IETF should solve from both areas.
>>     Regards,
>>     Mary
>>     DISPATCH WG co-chair
>>     On Fri, Nov 1, 2019 at 5:00 PM Justin Richer <
>>     <>> wrote:
>>         I would like to present and discuss HTTP Request signing at
>>         both the DISPATCH and SECDISPATCH meetings at IETF106 in
>>         Singapore. This I-D has been floating around for years now
>>         and has been adopted by a number of different external groups
>>         and efforts:
>>         I’ve spoken with the authors of the draft and we’d like to
>>         find out how to bring this forward to publication within the
>>         IETF. I’m targeting both dispatch groups because this
>>         represents the intersection of both areas, and I think we’d
>>         get different perspectives from each side that we should
>>         consider.
>>         There have been a number of other drafts that have approached
>>         HTTP request signing as well (I’ve written two of them
>>         myself), but none has caught on to date and none have made it
>>         to RFC. Lately, though, I’ve been seeing a lot of renewed
>>         effort in different sectors, and in particular the financial
>>         sector and cloud services, to have a general purpose HTTP
>>         message signing capability. As such, I think it’s time to
>>         push something forward.
>>         I’ve reached out to the chairs for both DISPATCH and
>>         SECDISPATCH to request a presentation slot.
>>         Thank you, and I’ll see you all in Singapore!
>>          — Justin
>>         _______________________________________________
>>         dispatch mailing list
>> <>
>     _______________________________________________
>     Secdispatch mailing list
> <>
> -- 
> Best regards,
> Kathleen
> _______________________________________________
> dispatch mailing list