Re: [GNAP] Signature Methods
Dave Tonge <dave.tonge@moneyhub.com> Mon, 21 June 2021 21:03 UTC
Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 458A03A199C for <txauth@ietfa.amsl.com>; Mon, 21 Jun 2021 14:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.188
X-Spam-Level:
X-Spam-Status: No, score=-0.188 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FjGzWe24bfUb for <txauth@ietfa.amsl.com>; Mon, 21 Jun 2021 14:03:22 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA2783A199A for <txauth@ietf.org>; Mon, 21 Jun 2021 14:03:21 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id t3so20822435edc.7 for <txauth@ietf.org>; Mon, 21 Jun 2021 14:03:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0q0dixV1vwYU6khRPoycx/1ZQ+9UZW3hAMfMpvDP6Bw=; b=GLAMdMxMwm0qGjV941cDbdR2HTWLRtCaxArCd1gyBaPJEG4O7rBUkZb6bHsKdlzTQo HmcQ3pagGEx1MubbZt4lzhJ3kPBlutV57xPZ1D0pVL4rGiLoWDDdZzbRjVDrPHtIvRcK iRfLEBCAMznwQ/oKhzpGoB4YOYqrH5KTv/f10=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0q0dixV1vwYU6khRPoycx/1ZQ+9UZW3hAMfMpvDP6Bw=; b=UnTALhxUM7K8BU27pC35oPrlcXH8j+brjdSIHo4FT171yGTtlHAbEznhs2m790xsND /QJNGYJdHNxVmT6CvDoZhCXG/8kY0tPqrJqE6wQ39Ot3zOdKGcyCIZd1NDMVaj91qH8d jxHNj+BTLRhke1BuZijbzys4/q9YeYatR1OC5yh8zUHBNv8IsUil4DiraVMA3d7FEc1S PDslpDnBxK06TF4O/rdlTIVrwXZ09z4ssPXjygsGFWu2F8r6HWJ3Aejd8uowKEc6dRWZ 35HBTz8dgVZkW0mJ17JPXRS3lRI+SaAECkir+ILGJ83VRG+IOHbYX+fVsHfm3h4Hc8Ya IcdA==
X-Gm-Message-State: AOAM531Q996IyhD3b3cLr2YyxLvN6xwFIBa4UaeZJtfwtgPQFNLd4lAZ QkNQ4BlVVcfh1um3+zbV5s/DywnEu28tIk93F1WxHn9MjQ8tE1A5tyO0vWXkijIWH4A0Tu+249P KJwo+vnGi4jJ76GM=
X-Google-Smtp-Source: ABdhPJxIGZbbn9Icvsm8B2QJoC3y3VCJvWote4rU+QY57Z4C/t9qRsYjlMiONpEAFUe64pafZ7oSiRoqAtriDOp/ipo=
X-Received: by 2002:a05:6402:b6a:: with SMTP id cb10mr379779edb.275.1624309394897; Mon, 21 Jun 2021 14:03:14 -0700 (PDT)
MIME-Version: 1.0
References: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
In-Reply-To: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 21 Jun 2021 23:03:03 +0200
Message-ID: <CAP-T6TSMBpEGguOqvr2xfTdCKZ10bUo=StHkowEvUrdd4tTcVA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d0e9e05c54d00fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CvabhG85jW8Lny_fLxIVNDdNORA>
Subject: Re: [GNAP] Signature Methods
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 21:03:27 -0000
I'm definitely in favour of simplification. Mutual TLS is an interesting one. I would prefer that it isn't included in core as it mixes the transport and application layers and in my experience is fairly brittle (not the spec, but how it is implemented in a lot of places). Purely in terms of aesthetics, I don't like the http signatures spec, but if it is going to become mainstream then it makes sense to make it the primary signing mechanism. As you mentioned the good thing about it is that it can work for all HTTP requests, and can also be used for signing responses. I think some work will need to be done to get the http signature spec supported by standard HTTP client libraries in popular languages. This will make it a lot easier for implementers (i.e. I can call ``` myHttpClientLibary.post({ body: {...}, uri: "https://example.com/continue", sign: { key: {} // reference to key to use to sign, digest: "SHA-256" additionalHeaders: ["authorization", "content-type"] } }) ``` So my suggestion would be to only have the http signature spec in core. GNAP is a new protocol - I see no need to add unnecessary optionality. Dave On Tue, 15 Jun 2021 at 19:50, Justin Richer <jricher@mit.edu> wrote: > In GNAP, most requests are signed in some way, or at least bound to a key > being presented or referenced with the request. This is true for > connections from the client instance to the AS and to the RS, as well as > introspection requests from the RS to the AS. GNAP has always sought to be > flexible with regard to cryptographic binding mechanisms, but there’s a > question as to what should remain defined in the core document. Right now, > core has six methods defined. The editors are proposing that we keep at > least two and drop two, and the others could either both be kept, both be > dropped, or one kept. The rationale for each proposal is discussed below: > > Proposed to keep: > > - HTTP Method Signatures: general purpose mechanism, being defined in HTTP > WG. Can be bound to symmetric and asymmetric keys. Usable for native, web, > and SPA clients. Suggested MTI for the AS (but not mandatory to use) for > interoperability. Side note, possible use for AS to sign responses (but not > explored here yet — that’s another topic). > > - Mutual TLS: based on OAuth MTLS, ties the keys at the TLS layer to the > application protocol (GNAP). > > > Proposed to drop: > > - OAuth PoP: expired draft, due to be replaced with new draft based on > HTTP Message Signatures. > > - OAuth DPoP: only works for asymmetric keys, requires key be presented in > the header (duplicating information from GNAP messages). It was never meant > to be a general purpose signing mechanism, though the FAPI group in OIDF is > considering it as an option in current proposed work. > > > This leaves the two JWS based methods, detached and attached. Since > attached JWS depends on the detached JWS method to handle body-less > requests like GET, DELETE, OPTIONS, etc., if we remove the detached method > then we have to remove both. The methods could be pulled to an extension, > left in core, or removed entirely. > > The editors would appreciate feedback on this proposal, including specific > feedback on the JWS methods from implementors who are targeting them. > > > — Justin > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > -- Dave Tonge CTO [image: Moneyhub Enterprise] <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A> t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at *https://register.fca.org.uk/ <https://register.fca.org.uk/>*. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2019 © DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. -- Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/ <https://register.fca.org.uk/>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
- [GNAP] Signature Methods Justin Richer
- Re: [GNAP] Signature Methods Nicolas Mora
- Re: [GNAP] Signature Methods Justin Richer
- Re: [GNAP] Signature Methods Nicolas Mora
- Re: [GNAP] Signature Methods Dave Tonge
- Re: [GNAP] Signature Methods Fabien Imbault