IETF Logo Mail Archive

Re: [GNAP] Signature Methods

Dave Tonge <dave.tonge@moneyhub.com> Mon, 21 June 2021 21:03 UTC

Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 458A03A199C for <txauth@ietfa.amsl.com>; Mon, 21 Jun 2021 14:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.188
X-Spam-Level:
X-Spam-Status: No, score=-0.188 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FjGzWe24bfUb for <txauth@ietfa.amsl.com>; Mon, 21 Jun 2021 14:03:22 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA2783A199A for <txauth@ietf.org>; Mon, 21 Jun 2021 14:03:21 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id t3so20822435edc.7 for <txauth@ietf.org>; Mon, 21 Jun 2021 14:03:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0q0dixV1vwYU6khRPoycx/1ZQ+9UZW3hAMfMpvDP6Bw=; b=GLAMdMxMwm0qGjV941cDbdR2HTWLRtCaxArCd1gyBaPJEG4O7rBUkZb6bHsKdlzTQo HmcQ3pagGEx1MubbZt4lzhJ3kPBlutV57xPZ1D0pVL4rGiLoWDDdZzbRjVDrPHtIvRcK iRfLEBCAMznwQ/oKhzpGoB4YOYqrH5KTv/f10=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0q0dixV1vwYU6khRPoycx/1ZQ+9UZW3hAMfMpvDP6Bw=; b=UnTALhxUM7K8BU27pC35oPrlcXH8j+brjdSIHo4FT171yGTtlHAbEznhs2m790xsND /QJNGYJdHNxVmT6CvDoZhCXG/8kY0tPqrJqE6wQ39Ot3zOdKGcyCIZd1NDMVaj91qH8d jxHNj+BTLRhke1BuZijbzys4/q9YeYatR1OC5yh8zUHBNv8IsUil4DiraVMA3d7FEc1S PDslpDnBxK06TF4O/rdlTIVrwXZ09z4ssPXjygsGFWu2F8r6HWJ3Aejd8uowKEc6dRWZ 35HBTz8dgVZkW0mJ17JPXRS3lRI+SaAECkir+ILGJ83VRG+IOHbYX+fVsHfm3h4Hc8Ya IcdA==
X-Gm-Message-State: AOAM531Q996IyhD3b3cLr2YyxLvN6xwFIBa4UaeZJtfwtgPQFNLd4lAZ QkNQ4BlVVcfh1um3+zbV5s/DywnEu28tIk93F1WxHn9MjQ8tE1A5tyO0vWXkijIWH4A0Tu+249P KJwo+vnGi4jJ76GM=
X-Google-Smtp-Source: ABdhPJxIGZbbn9Icvsm8B2QJoC3y3VCJvWote4rU+QY57Z4C/t9qRsYjlMiONpEAFUe64pafZ7oSiRoqAtriDOp/ipo=
X-Received: by 2002:a05:6402:b6a:: with SMTP id cb10mr379779edb.275.1624309394897; Mon, 21 Jun 2021 14:03:14 -0700 (PDT)
MIME-Version: 1.0
References: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
In-Reply-To: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 21 Jun 2021 23:03:03 +0200
Message-ID: <CAP-T6TSMBpEGguOqvr2xfTdCKZ10bUo=StHkowEvUrdd4tTcVA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d0e9e05c54d00fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CvabhG85jW8Lny_fLxIVNDdNORA>
Subject: Re: [GNAP] Signature Methods
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 21:03:27 -0000

I'm definitely in favour of simplification.

Mutual TLS is an interesting one. I would prefer that it isn't included in
core as it mixes the transport and application layers and in my experience
is fairly brittle (not the spec, but how it is implemented in a lot of
places).

Purely in terms of aesthetics, I don't like the http signatures spec, but
if it is going to become mainstream then it makes sense to make it the
primary signing mechanism. As you mentioned the good thing about it is that
it can work for all HTTP requests, and can also be used for signing
responses.

I think some work will need to be done to get the http signature spec
supported by standard HTTP client libraries in popular languages. This will
make it a lot easier for implementers (i.e. I can call

```
myHttpClientLibary.post({
  body: {...},
  uri: "https://example.com/continue",
  sign: {
    key: {} // reference to key to use to sign,
    digest: "SHA-256"
    additionalHeaders: ["authorization", "content-type"]
  }
})
```

So my suggestion would be to only have the http signature spec in core.

GNAP is a new protocol - I see no need to add unnecessary optionality.

Dave



On Tue, 15 Jun 2021 at 19:50, Justin Richer <jricher@mit.edu> wrote:

> In GNAP, most requests are signed in some way, or at least bound to a key
> being presented or referenced with the request. This is true for
> connections from the client instance to the AS and to the RS, as well as
> introspection requests from the RS to the AS. GNAP has always sought to be
> flexible with regard to cryptographic binding mechanisms, but there’s a
> question as to what should remain defined in the core document. Right now,
> core has six methods defined. The editors are proposing that we keep at
> least two and drop two, and the others could either both be kept, both be
> dropped, or one kept. The rationale for each proposal is discussed below:
>
> Proposed to keep:
>
> - HTTP Method Signatures: general purpose mechanism, being defined in HTTP
> WG. Can be bound to symmetric and asymmetric keys. Usable for native, web,
> and SPA clients. Suggested MTI for the AS (but not mandatory to use) for
> interoperability. Side note, possible use for AS to sign responses (but not
> explored here yet — that’s another topic).
>
> - Mutual TLS: based on OAuth MTLS, ties the keys at the TLS layer to the
> application protocol (GNAP).
>
>
> Proposed to drop:
>
> - OAuth PoP: expired draft, due to be replaced with new draft based on
> HTTP Message Signatures.
>
> - OAuth DPoP: only works for asymmetric keys, requires key be presented in
> the header (duplicating information from GNAP messages). It was never meant
> to be a general purpose signing mechanism, though the FAPI group in OIDF is
> considering it as an option in current proposed work.
>
>
> This leaves the two JWS based methods, detached and attached. Since
> attached JWS depends on the detached JWS method to handle body-less
> requests like GET, DELETE, OPTIONS, etc., if we remove the detached method
> then we have to remove both. The methods could be pulled to an extension,
> left in core, or removed entirely.
>
> The editors would appreciate feedback on this proposal, including specific
> feedback on the JWS methods from implementors who are targeting them.
>
>
>  — Justin
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at *https://register.fca.org.uk/
<https://register.fca.org.uk/>*. Moneyhub Financial Technology is
registered in England & Wales, company registration number  06909772 .
Moneyhub Financial Technology Limited 2019 ©

DISCLAIMER: This email (including any attachments) is subject to copyright,
and the information in it is confidential. Use of this email or of any
information in it other than by the addressee is unauthorised and unlawful.
Whilst reasonable efforts are made to ensure that any attachments are
virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Moneyhub Financial Technology Limited or of any other group
company.

-- 


Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
Limited which is authorised and regulated by the Financial Conduct 
Authority ("FCA"). Moneyhub Financial Technology is entered on the 
Financial Services Register (FRN 809360) at https://register.fca.org.uk/ 
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered 
in England & Wales, company registration number 06909772. Moneyhub 
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, 
Temple Quay, 1 Friary, Bristol, BS1 6EA. 

DISCLAIMER: This email 
(including any attachments) is subject to copyright, and the information in 
it is confidential. Use of this email or of any information in it other 
than by the addressee is unauthorised and unlawful. Whilst reasonable 
efforts are made to ensure that any attachments are virus-free, it is the 
recipient's sole responsibility to scan all attachments for viruses. All 
calls and emails to and from this company may be monitored and recorded for 
legitimate purposes relating to this company's business. Any opinions 
expressed in this email (or in any attachments) are those of the author and 
do not necessarily represent the opinions of Moneyhub Financial Technology 
Limited or of any other group company.

v2.23.0 | Report a Bug | By Email