Re: [Secdispatch] [dispatch] HTTP Request Signing

Justin Richer <jricher@mit.edu> Tue, 05 November 2019 17:06 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66D761200D8; Tue, 5 Nov 2019 09:06:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4GjyHZtrqmu; Tue, 5 Nov 2019 09:06:46 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C001200C4; Tue, 5 Nov 2019 09:06:45 -0800 (PST)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xA5H6gHA002214 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Nov 2019 12:06:42 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <711F14DE-A33D-4A49-870C-2627766C6EDF@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A276ADCA-0B49-4C30-B1E9-A2F922480EFF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 5 Nov 2019 12:06:41 -0500
In-Reply-To: <CAHbuEH5DQ7uRwe6=1dj80VLrkik6ceyGe+reeN+fmgVQmM9rcw@mail.gmail.com>
Cc: Mary Barnes <mary.ietf.barnes@gmail.com>, DISPATCH <dispatch@ietf.org>, IETF SecDispatch <secdispatch@ietf.org>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <E53D0610-2A30-483E-9BF5-BC83E7BC2CBF@mit.edu> <CAHBDyN5-Hj-Hsr_r7V4QWNBB7eeunSdN0YLAVROuq1LqJEERBA@mail.gmail.com> <279B9C8D-0614-482C-8839-FE10455331B6@mit.edu> <CAHbuEH5DQ7uRwe6=1dj80VLrkik6ceyGe+reeN+fmgVQmM9rcw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/YQ5jEkTaWIyNmYioDnG4nWd8aF0>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 17:06:48 -0000

That sounds great to me, I will plan to present at SECDISPATCH. If the chairs of DISPATCH would be willing to give me a quick moment to just point people to this other work during the meeting, in case they aren’t paying attention to this list. Considering that DISPATCH is first it’d mostly be pointing people to the SECDISPATCH meeting for the discussion if they’re interested.

 — Justin

> On Nov 5, 2019, at 11:59 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> We have the time at SecDispatch, so should I just add it considering DISPATCH has a full agenda?
> 
> Best regards,
> Kathleen
> 
> On Tue, Nov 5, 2019 at 11:56 AM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> A number of the people involved with implementing the drafts that I’d like to present are involved in IETF in different places, but none for pushing this draft to date. If this work finds a home, I think we’d be able to get a lot of that external community to participate in whatever list ends up hosting the work. 
> 
> I’m fine with presenting at only one of DISPATCH or SECDISPATCH instead of both, but since this sits squarely at the intersection of the two communities it might make sense for me to just introduce the concept (~1 min) at whatever meeting I’m not giving a full presentation at. 
> 
>  — Justin
> 
> 
>> On Nov 4, 2019, at 3:02 PM, Mary Barnes <mary.ietf.barnes@gmail.com <mailto:mary.ietf.barnes@gmail.com>> wrote:
>> 
>> Personally, I'd rather not have the presentation twice, recognizing of course, that not everyone would be able to attend one or the other. But, we will have recordings and as is oft stated, ultimately decisions happen on mailing lists.  And, I appreciate and agree with Jeffrey not wanting feature creep in WPACK.  One objective of DISPATCH has been to ensure that work that is chartered is discrete enough to finish in a timely manner.   
>> 
>> You mention other communities that are interested in this.  Will they be participating or have they participated in IETF?    It's hard for chairs to judge consensus to work on something when the communities interested in the work are not participating in IETF.  Mailing list participation is sufficient.  
>> 
>> DISPATCH agenda is pretty full right now, so this would have to fall into AOB at this juncture if ADs and my WG co-chair agree that we should discuss in DISPATCH.  And, perhaps whether it gets a few minutes in SECdispatch might be informed on how it goes in DISPATCH, if we have a chance to discuss it, since you need the agreement that this is a problem IETF should solve from both areas.
>> 
>> Regards,
>> Mary
>> DISPATCH WG co-chair
>> 
>> 
>> On Fri, Nov 1, 2019 at 5:00 PM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>> I would like to present and discuss HTTP Request signing at both the DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has been floating around for years now and has been adopted by a number of different external groups and efforts:
>> 
>> https://tools.ietf.org/html/draft-cavage-http-signatures <https://tools.ietf.org/html/draft-cavage-http-signatures>
>> 
>> I’ve spoken with the authors of the draft and we’d like to find out how to bring this forward to publication within the IETF. I’m targeting both dispatch groups because this represents the intersection of both areas, and I think we’d get different perspectives from each side that we should consider. 
>> 
>> There have been a number of other drafts that have approached HTTP request signing as well (I’ve written two of them myself), but none has caught on to date and none have made it to RFC. Lately, though, I’ve been seeing a lot of renewed effort in different sectors, and in particular the financial sector and cloud services, to have a general purpose HTTP message signing capability. As such, I think it’s time to push something forward. 
>> 
>> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to request a presentation slot.
>> 
>> Thank you, and I’ll see you all in Singapore!
>>  — Justin
>> _______________________________________________
>> dispatch mailing list
>> dispatch@ietf.org <mailto:dispatch@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dispatch <https://www.ietf.org/mailman/listinfo/dispatch>
> 
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org>
> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch>
> 
> 
> -- 
> 
> Best regards,
> Kathleen