[GNAP] Key rotation in HTTP Signatures
Justin Richer <jricher@mit.edu> Fri, 05 May 2023 21:25 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C00CC19E0FE for <txauth@ietfa.amsl.com>; Fri, 5 May 2023 14:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPEtOzMalCq0 for <txauth@ietfa.amsl.com>; Fri, 5 May 2023 14:25:49 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D230C19E0FF for <txauth@ietf.org>; Fri, 5 May 2023 14:25:48 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id 345LPiMN003755 for <txauth@ietf.org>; Fri, 5 May 2023 17:25:45 -0400
Received: from oc11expo12.exchange.mit.edu (18.9.4.17) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 5 May 2023 17:25:06 -0400
Received: from oc11exhyb1.exchange.mit.edu (18.9.1.60) by oc11expo12.exchange.mit.edu (18.9.4.17) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 5 May 2023 17:25:44 -0400
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.40) by oc11exhyb1.exchange.mit.edu (18.9.1.60) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Fri, 5 May 2023 17:25:44 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jg0zidkZCFs02fEG3pCi1Vn8bKeBebosyGMMcyP5NZ+kJqHFXCtdUZo9nfSy7/RN8ZDioCDPaCl+B66x1eAYj1x9X0tW/TcwGY8+oFxwyiyNl3fu5tJuE3orLdbD76YYhU0YbWsrHBxPz9wrg3NW3buhZRWF6q5gi39SnyQTwYJqyV8brEfTNS+aaSFuCAd5Vu2bKwb1SubQXUPrc3+lCE2jdWC3i4A+5JolKrGJU1GftBGCF7KvB35KRRD4bq+AgW0FPlfeI9xCG9p1cGFZk7MoRY+gHPJGx81rBlnxqlS50hhkps+Ps4bzUSesRNsv4QyILL+neye23RU9j4pKqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0X2jxxpTTDXKkusALCXuOstH+aMmfBKqf756i1mvjYU=; b=lpsGBBf4MZpBbOdeydadOo7zrDikBnXg6pJmkxn6rbJsxRJ8OiHytxXOMoioJbKSFWnexvEhA/KLx9fMgZgprQkSYPDtkkI0QW8Eun8q/GSSAPIxCYFmuVSB9M+J91ad9JwaEXcwKHEQ8H6R53QHxXNhKETSjXKKSTX/zePLej58M5xtuDATU3+BOqasAXQPI+T/SzX02G/X2pF4oy+rjvL2o52CaiSHltpr8Gjy0A4kRZcCmnhpJPdBMjWv4NsXKQGOyXjhEqbhDC3aimf7h7R5kOH7uET4raKSf4oSJ4duJMuCr7y3biglm8PEyKNDZdqEFm7RcDiqP2S0C4lbKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0X2jxxpTTDXKkusALCXuOstH+aMmfBKqf756i1mvjYU=; b=XHif486IZsTeOFX0WuvK2XVDIa333FrQVc+yhqF44bZLfScpL226VQqbt6jszRbWYE8SOa2l9kc5rDgSa7ELbFiXAoX7hMVc6/57yzXLVvVJWm4dNt5tRL/BN6u8C1nOuIqajVaIOTYrpFPXRqnhbaKD2PHvpi2kBtLeBw54xno=
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by CH2PR01MB5784.prod.exchangelabs.com (2603:10b6:610:39::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.26; Fri, 5 May 2023 21:25:40 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::97b:a2f0:ec7d:c25f]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::97b:a2f0:ec7d:c25f%6]) with mapi id 15.20.6363.020; Fri, 5 May 2023 21:25:40 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: Key rotation in HTTP Signatures
Thread-Index: AQHZf5gkFElnT4vDG0q95MS1XgeZ4w==
Date: Fri, 05 May 2023 21:25:40 +0000
Message-ID: <9D712751-56F7-45CC-834F-926C00CC72E6@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|CH2PR01MB5784:EE_
x-ms-office365-filtering-correlation-id: a691b1e5-3f9a-4842-35f3-08db4daf46e0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5UvEKhy0MQ0uhJ2hmQhaxfDx+U+9OmXpd9Z7n29pS4XQUYIN7xRMcZlF1EECpKw+AmhXqgXiZUq8L54u9bDoXUX69aBhaS4iVpPiByEqmnlmkrxcM9OP32zW5tvLbQgO1XnavjmcXgOYwgzkUFtmoQLDQhWOf7xQMDJ9e9t/okr8vuoFYu+sLa267j0E0JkCvNeGOz7RJ6q918EMcoICsipvmifJ9D3t9y56pnwubsmyvzVo/khcZoeLfvSdCNMt2+xzflK2lu173YHHK1S98uEShNCoTO+ygSfwoiAov3qmkHPgHfctLzGhp4Mh2WHrdroHCkq/68FPGvY6mx+ha5vv3/8s7LDXoL2fYJZtxP06gB7h56UZiQEqpKlFUsE4yCaqw0oLBz1iLT+tGrOUXvOInpYxkUWBr0ynhXrJklD/oqdNesKtETfmUKjRCvJCS8Qvz+yJC9lV5CpqkPbs4oQjw7tv5T/csSUniFGxJOQRwISSqJ7WHhigwI58EFrL1CNWss//aE37pF0Wwlpf/KbwsX2mikRmyuRc5TEBjNDyQy8mVQk9hOXjSShDWeV+wKm2YaMJMVKCtm7pR3fRem3Xf2PvqLzWpeanGR91hXQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(376002)(39860400002)(346002)(396003)(136003)(451199021)(4744005)(2906002)(2616005)(6506007)(26005)(6512007)(186003)(83380400001)(5660300002)(66476007)(66556008)(66946007)(76116006)(64756008)(66446008)(75432002)(478600001)(122000001)(38100700002)(91956017)(8936002)(966005)(8676002)(166002)(41300700001)(38070700005)(33656002)(71200400001)(86362001)(6916009)(316002)(36756003)(6486002)(786003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cWQ24gYHJu7X4xw5BcTPSEi1goIxAiwRmJLN6nMdrp2j7EomYh7B94Yo5EYHW8SxecM6nfEFdNMIqZWkdZDWohnuulh2TWXoqmmy7X+GI+1w12zd9n6cdWt0PxBakbzah5Bewqrt/0uj2TuHXXHP/fFcSYGrgoa1Weh2ZMSK7fJUeOU87u4Zmw5jg88AHSoUEYz8JZSTIjK1cQ14m87vyiIGg458baMws5gwhaT6tTAguHr7nHwg+DiEpSHqu4V37Vrb+1oOGNPamei3bf/oqSuwr9F+qg14G0fZdu++VUgmlm5+hxpI/GnIjLocvkUkELXBvlHk8KHIc0SBHzQxMKuWuLIY0P7SZiWuaSTiaY7wxhsqJZr4Gk9VzLphkhMuLmI4r8phTwEghZ512XCaLouzXXPRzKZ9OI+dw3TFdbuKUt9OePQGXkcKlRUVSbKSTVHHnHQnHk87T0wuQM9ei56/CZwjzLow50duf81xCNYvSmPjrJ0XvqAJl9zL3JoLwfNXtRTl6mOBgAJPIQ6cVOGlKAY/853kmuJm0Thz9g5wbcvTaXmPeDWoPD4b0ZZLYynYWQQPhp1+7ICGr3+gm3OdQdS53R1KIrloEatUzZtA8QOjAyGdzCWx9sm8/5LbNr+j9M7WxsVYUSqyiMUqH/VYxlenTLv5PCHQMRYwhnO9sYYafi54Nv+va16jWq5FLbg5XKHf0BIJXpKUCk5/0n4TQTZnTtBMFDDzaucGc7cKZlkOL7H6vd+jJfkg1de0yYIZW7doLiJq+ckAUnfYiHkojPc0legoifK3gCwium/l2hrwKSlSpScT5N66PMPThsI1k9FVDSv2ulAc4iSedNiQwJAk7Jikvgpy/fdFFm+YnFL1DMuRuSwycGOh156DFo29MW7zNsEBdAC4IOtvm3+h/KsauavgxegMji3w0oVxjSQJKAcX8urXhc8yYM6+3pXi4X5VZcWcWyxOR9gTE7lGgKXCmEeo9+vgYqM96P22KHAK5lE2wBxflaVOpINw0sPjRg+l2GfR/a5jtzDUFKVgZojWcjiR2iLNy4uxCKBVaCd9JXCeuLsBqri59wU1hIStyXwastPejNGlW01LfgeUi0E8UR8fCDcsfiD1F/4pSVZfI4OyAeIJwYYj/4b9HQRJkgjzQVKzVYsdpjo2gmLCw79FQrOblEyDyHhARahCX+vXkA4cOG843OlWrA29QE0R8hQHJQfwN8YX7vGCdAq961at13o13RJS1BO4yxQLxwd72UrEV5P/X3w5/rtikg7r6k0bijKhGTjVEWktvKsSX4UXiMdDWb/FWqDfcRGBd8g546KY4DzPTpbSR7cMGgNym9tipVXT51dplwlrnVYrf0ZFeIHjWly83+tYe9hDnxLX82tMwRGnT1rDSRY37hrfMXB7ocX2THIgZz3AWjrhX9gWbAaiUoeJx4OGhxwHJ3hfZniop6Xpw+Br3ItEPHLaPT52rlcn6wNHx1W3EAfHiNV7w+yH1/PTNW8A3XlcX3AFbc9XZeUAB1a2uGbxCIQq48eUEHfd11wr820ixGD2ZGmC/Dj9VFc9zLlDyHaxhH0GCs6CYpeMEw2/bEIO
Content-Type: multipart/alternative; boundary="_000_9D71275156F745CC834F926C00CC72E6mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a691b1e5-3f9a-4842-35f3-08db4daf46e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2023 21:25:40.6602 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tBP/iWfecvtH/9aulIUKF6k25eypkjuMoim38PmtR4xsCyM5wZc8ZWaNJVR63QM6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR01MB5784
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/FETNN92dVYLk_l7JbpOLRgp_LqU>
Subject: [GNAP] Key rotation in HTTP Signatures
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 21:25:50 -0000
To align with some recent updates to the HTTP Signatures draft that resulted from an in-depth security analysis of that draft, we have updated the mechanism of key rotation using that proofing method: https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/506 Please review the text and if necessary change your implementations to match the new requirements. This goes hand-in-hand with the token rotation changes posted about earlier this week. — Justin
- [GNAP] Key rotation in HTTP Signatures Justin Richer