Re: [Secdispatch] [dispatch] HTTP Request Signing

Mark Nottingham <> Sat, 02 November 2019 04:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B38B120A80; Fri, 1 Nov 2019 21:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=GBAFj3i2; dkim=pass (2048-bit key) header.b=Iwrj2gkR
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RN35cOUZCUBx; Fri, 1 Nov 2019 21:26:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E3D54120937; Fri, 1 Nov 2019 21:26:09 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id EC84021340; Sat, 2 Nov 2019 00:26:08 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute3.internal (MEProxy); Sat, 02 Nov 2019 00:26:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=E zV/w/ZfedmKAYeMxaLZ/VZVaKiqLR6NvBvpzGRbnqw=; b=GBAFj3i2G2Mjvtz8Q hVVMKksBoJ831Z6t+l7hvjXtdOsUI05K90684Rmzw/Xchj3bEbBwVP5vK3bhlNPr kqshx5UAxXUb4g5AHdlegJyxqDPO8fbc5nIqllpA4hNre4UdOoXbb4oBVNBawZeE fz4YGmi07VOH8EXb3FVvBn4p3onPZ1nm6ywKR+y4mjQpIGjLtk0DJVWrFYqADKqu mzOHGLt7AXrFHycTLog1MdbCeGeAwrgEPLXhps69SCQkytp8oP6PcSm6Msfix+TJ 3Tt9Mjf9/SZ24RdX8CP7KFGA3oogMW73/mVRQ7OA/06TfjEUEoPyCkY9lKiNHn5E 9EQpA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=EzV/w/ZfedmKAYeMxaLZ/VZVaKiqLR6NvBvpzGRbn qw=; b=Iwrj2gkRSXVy5CdDz/huoRGowhwNZqR8lCrIfTQyATo4n9JRq45D6yJcC /Ci3F0wemRrHoa76u7PN8eJWB8YQhTblG8nsY3UZ6T4v+eWpps0CcrFb/sAgCr3M KkPBjpomWIquvvUPJT8BZO9uTH12b9Lho0yh3BcxV7cf7yoUu0Qey6KuyGNC34LY aB9+UDuzqqrvn2kMqLGz6oPPAZZo5bc8bUGiy6VvetXl7TsqX9C/4RCYCRTMlf+W pQ3+hbY3IMInXrFG02JpBvvXha+QT3YMVwA8eLB40J5Us/cn5ttuB0WLt+4SVSE1 EUQ9TN6SNjLQIMINQtzwo9EP13F+w==
X-ME-Sender: <xms:XwW9XbqFyJNr3zTMIultuMwBbMiBHYLntxrLp9cQmOvlUj7SpMprzA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedruddtkedgieelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinh ephhhtthhptghomhhmuhhnihhtihgvshhrvghsphgvtghtihhvvghlhidrshhopdhhthht phhmvghsshgrghgvshhighhnihhnghgtrghprggsihhlihhthidrrghspdhivghtfhdroh hrghdpmhhnohhtrdhnvghtnecukfhppeduudelrddujedrudehkedrvdehudenucfrrghr rghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvthenucevlhhushhtvghruf hiiigvpedt
X-ME-Proxy: <xmx:XwW9XR_5qGlfDpUGQyJIJ7PgpqcpQeX0CyWKojJKbn_tGlQKLTt0gg> <xmx:XwW9Xa_1Vma-WhtaaXJostV0lLTC9LrTlbW1YqdYsXIYTpQ8N_Mg5g> <xmx:XwW9XQt1qcsxDvOgW2xljXl7LanWbUboWQog-BQj9KiYXt1fr5pRsA> <xmx:YAW9Xajs8tEzNRdKiJSNtrTSn5ubQPt8jrBc5heoWhw-oMg7a3zqwQ>
Received: from (unknown []) by (Postfix) with ESMTPA id DF5848005B; Sat, 2 Nov 2019 00:26:05 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Sat, 2 Nov 2019 15:26:01 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Justin Richer <>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <>
Subject: Re: [Secdispatch] [dispatch] HTTP Request Signing
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 02 Nov 2019 04:26:14 -0000

Hi Justin,

It's worth noting that there's a Working Group forming BoF, wpack, being held in Singapore about a draft with similar goals:

In particular, both this draft and Jeffrey's propose the Signature HTTP header field, and seem to have at least partially overlapping use cases.

If possible, it'd be good to avoid duplication of effort -- especially in terms of evaluating security properties and "fit" into HTTP by the security and HTTP communities, respectively. So, I'd suggest bringing it up there instead.


> On 2 Nov 2019, at 8:59 am, Justin Richer <> wrote:
> I would like to present and discuss HTTP Request signing at both the DISPATCH and SECDISPATCH meetings at IETF106 in Singapore. This I-D has been floating around for years now and has been adopted by a number of different external groups and efforts:
> I’ve spoken with the authors of the draft and we’d like to find out how to bring this forward to publication within the IETF. I’m targeting both dispatch groups because this represents the intersection of both areas, and I think we’d get different perspectives from each side that we should consider. 
> There have been a number of other drafts that have approached HTTP request signing as well (I’ve written two of them myself), but none has caught on to date and none have made it to RFC. Lately, though, I’ve been seeing a lot of renewed effort in different sectors, and in particular the financial sector and cloud services, to have a general purpose HTTP message signing capability. As such, I think it’s time to push something forward. 
> I’ve reached out to the chairs for both DISPATCH and SECDISPATCH to request a presentation slot.
> Thank you, and I’ll see you all in Singapore!
>  — Justin
> _______________________________________________
> dispatch mailing list

Mark Nottingham