Re: [GNAP] Signature Methods
Fabien Imbault <fabien.imbault@gmail.com> Mon, 05 July 2021 15:20 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4FA3A1B45 for <txauth@ietfa.amsl.com>; Mon, 5 Jul 2021 08:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NuEVLrSaVebU for <txauth@ietfa.amsl.com>; Mon, 5 Jul 2021 08:20:44 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A63F3A1B48 for <txauth@ietf.org>; Mon, 5 Jul 2021 08:20:43 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id a6so21393807ioe.0 for <txauth@ietf.org>; Mon, 05 Jul 2021 08:20:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z6jhJhBtgp/bJOTZTF04SOr0Ykonb+WnexLtQ0Gwg7M=; b=G5US0xr6Hnq4ZJ946sjp/+UwnDA4cAE+PXxWTjcRWX0F6nrav8HbtRrkc0qrXYpQAI nlP2d+1/ej2QodX0gKvxMSJt3CKK+0yMbz1c8uPcjGlAJk6zKZVpHlP1bEH1sexteeHq 2W9CRzNDqo83aVMEHAqypfxEgi3OuUlXJh/qbyy+EALW6lIhR+0Pz643w0jg+mRtBJCs UT7m2SGGIs3J7YqHXaaENhRf9UHnyqYBfvszRbc9aSNDVCKzWopDfmjnpBzSViMYAn+F r2vx0Ckf3JG653v1XSfgushNWcOtOXDdouFKAUB1D/WE+Q+VvU88CWQsOei4rJ+rctcB iUWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z6jhJhBtgp/bJOTZTF04SOr0Ykonb+WnexLtQ0Gwg7M=; b=cxR3wH2HsGOomrG7nN4X23B592MVApx9yeIANax3OTItqtZwIL8KKYSqnFNEiNRDGx 6MBk0WLiupImtl+tdxAkTp7+MKWcdA9AOh566tPH0h4Ddlh8SXaG6gZ/9rSvX//XvRYW Q2nrW1v13bbKik1d/BZX8qPVEc6uuMxJuq2gBk/RvJfN97eB+NHFqO1v6ooxauDwUXsj 2Yf994guiWhHorSDoBDfgfDguvFlqoLZ+iU618OCsTawBIvzx2g39lr2mYUTraVtLk+3 L5910vGtP5f8+6B5LeeFER2LOr+osIudteu9bEtQ5YZTuq7jpIzoF5cLPtfGGv3qGYDI AylA==
X-Gm-Message-State: AOAM531xqz8D8Y5w2ji8TiNn7xdJMeoq76C3JfUHxpnk0x1EEoNjnmLH 13fAnxnFOZ29jX2eZE74wkwPCsR8LZevyok71l8=
X-Google-Smtp-Source: ABdhPJxOgfGTQttXrnthZydzGWKMim6FPgfcXQIRiK3WcWlqXlgmI3Ez9P0suFKAakTae4c8Md2dLWzwwYfAH1whgeA=
X-Received: by 2002:a05:6638:3789:: with SMTP id w9mr12706703jal.77.1625498442455; Mon, 05 Jul 2021 08:20:42 -0700 (PDT)
MIME-Version: 1.0
References: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu> <CAP-T6TSMBpEGguOqvr2xfTdCKZ10bUo=StHkowEvUrdd4tTcVA@mail.gmail.com>
In-Reply-To: <CAP-T6TSMBpEGguOqvr2xfTdCKZ10bUo=StHkowEvUrdd4tTcVA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 05 Jul 2021 17:20:31 +0200
Message-ID: <CAM8feuQ_8FtE7vZdap_4Jii5wLSvTsZvKO-h60JtvrY6sajeXg@mail.gmail.com>
To: Dave Tonge <dave.tonge@moneyhub.com>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003edd0905c661d944"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/_GE_65R8uH_DF6m-cfUCKXakanU>
Subject: Re: [GNAP] Signature Methods
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 15:20:50 -0000
Dear all, I've created the 2 PRs to remove DPoP ( https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/271) and PoP ( https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/272). I personally would also favor removing JWS detached and attached. My rationale for that : - not everyone likes JOSE, so not having a strong dependency opens to a wider community - we can still support those cases as extensions, if it makes the transition from oauth easier On top of that, Dave's arguments for simplification make very good sense. The main downside of having only HTTP signatures is that it is fairly new, so the adoption requires the ecosystem to catch up (not sure what's the issue with its aesthetics, could you explain further?). But in general, it's quite nice I think. Fabien On Mon, Jun 21, 2021 at 11:03 PM Dave Tonge <dave.tonge@moneyhub.com> wrote: > I'm definitely in favour of simplification. > > Mutual TLS is an interesting one. I would prefer that it isn't included in > core as it mixes the transport and application layers and in my experience > is fairly brittle (not the spec, but how it is implemented in a lot of > places). > > Purely in terms of aesthetics, I don't like the http signatures spec, but > if it is going to become mainstream then it makes sense to make it the > primary signing mechanism. As you mentioned the good thing about it is that > it can work for all HTTP requests, and can also be used for signing > responses. > > I think some work will need to be done to get the http signature spec > supported by standard HTTP client libraries in popular languages. This will > make it a lot easier for implementers (i.e. I can call > > ``` > myHttpClientLibary.post({ > body: {...}, > uri: "https://example.com/continue", > sign: { > key: {} // reference to key to use to sign, > digest: "SHA-256" > additionalHeaders: ["authorization", "content-type"] > } > }) > ``` > > So my suggestion would be to only have the http signature spec in core. > > GNAP is a new protocol - I see no need to add unnecessary optionality. > > Dave > > > > On Tue, 15 Jun 2021 at 19:50, Justin Richer <jricher@mit.edu> wrote: > >> In GNAP, most requests are signed in some way, or at least bound to a key >> being presented or referenced with the request. This is true for >> connections from the client instance to the AS and to the RS, as well as >> introspection requests from the RS to the AS. GNAP has always sought to be >> flexible with regard to cryptographic binding mechanisms, but there’s a >> question as to what should remain defined in the core document. Right now, >> core has six methods defined. The editors are proposing that we keep at >> least two and drop two, and the others could either both be kept, both be >> dropped, or one kept. The rationale for each proposal is discussed below: >> >> Proposed to keep: >> >> - HTTP Method Signatures: general purpose mechanism, being defined in >> HTTP WG. Can be bound to symmetric and asymmetric keys. Usable for native, >> web, and SPA clients. Suggested MTI for the AS (but not mandatory to use) >> for interoperability. Side note, possible use for AS to sign responses (but >> not explored here yet — that’s another topic). >> >> - Mutual TLS: based on OAuth MTLS, ties the keys at the TLS layer to the >> application protocol (GNAP). >> >> >> Proposed to drop: >> >> - OAuth PoP: expired draft, due to be replaced with new draft based on >> HTTP Message Signatures. >> >> - OAuth DPoP: only works for asymmetric keys, requires key be presented >> in the header (duplicating information from GNAP messages). It was never >> meant to be a general purpose signing mechanism, though the FAPI group in >> OIDF is considering it as an option in current proposed work. >> >> >> This leaves the two JWS based methods, detached and attached. Since >> attached JWS depends on the detached JWS method to handle body-less >> requests like GET, DELETE, OPTIONS, etc., if we remove the detached method >> then we have to remove both. The methods could be pulled to an extension, >> left in core, or removed entirely. >> >> The editors would appreciate feedback on this proposal, including >> specific feedback on the JWS methods from implementors who are targeting >> them. >> >> >> — Justin >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > > > -- > Dave Tonge > CTO > [image: Moneyhub Enterprise] > <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A> > t: +44 (0)117 280 5120 > > Moneyhub Enterprise is a trading style of Moneyhub Financial Technology > Limited which is authorised and regulated by the Financial Conduct > Authority ("FCA"). Moneyhub Financial Technology is entered on the > Financial Services Register (FRN 809360) at *https://register.fca.org.uk/ > <https://register.fca.org.uk/>*. Moneyhub Financial Technology is > registered in England & Wales, company registration number 06909772 . > Moneyhub Financial Technology Limited 2019 © > > DISCLAIMER: This email (including any attachments) is subject to > copyright, and the information in it is confidential. Use of this email or > of any information in it other than by the addressee is unauthorised and > unlawful. Whilst reasonable efforts are made to ensure that any attachments > are virus-free, it is the recipient's sole responsibility to scan all > attachments for viruses. All calls and emails to and from this company may > be monitored and recorded for legitimate purposes relating to this > company's business. Any opinions expressed in this email (or in any > attachments) are those of the author and do not necessarily represent the > opinions of Moneyhub Financial Technology Limited or of any other group > company. > > Moneyhub Enterprise is a trading style of Moneyhub Financial Technology > Limited which is authorised and regulated by the Financial Conduct > Authority ("FCA"). Moneyhub Financial Technology is entered on the > Financial Services Register (FRN 809360) at https://register.fca.org.uk/. > Moneyhub Financial Technology is registered in England & Wales, company > registration number 06909772. Moneyhub Financial Technology Limited 2020 © > Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 > 6EA. > > DISCLAIMER: This email (including any attachments) is subject to > copyright, and the information in it is confidential. Use of this email or > of any information in it other than by the addressee is unauthorised and > unlawful. Whilst reasonable efforts are made to ensure that any attachments > are virus-free, it is the recipient's sole responsibility to scan all > attachments for viruses. All calls and emails to and from this company may > be monitored and recorded for legitimate purposes relating to this > company's business. Any opinions expressed in this email (or in any > attachments) are those of the author and do not necessarily represent the > opinions of Moneyhub Financial Technology Limited or of any other group > company. > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] Signature Methods Justin Richer
- Re: [GNAP] Signature Methods Nicolas Mora
- Re: [GNAP] Signature Methods Justin Richer
- Re: [GNAP] Signature Methods Nicolas Mora
- Re: [GNAP] Signature Methods Dave Tonge
- Re: [GNAP] Signature Methods Fabien Imbault