Re: [GNAP] Signature Methods

Nicolas Mora <nicolas@babelouest.org> Sun, 20 June 2021 13:16 UTC

Return-Path: <nicolas@babelouest.org>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF043A1491 for <txauth@ietfa.amsl.com>; Sun, 20 Jun 2021 06:16:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.537
X-Spam-Level:
X-Spam-Status: No, score=-0.537 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.338, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=babelouest.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwxMgGy2Wgss for <txauth@ietfa.amsl.com>; Sun, 20 Jun 2021 06:16:22 -0700 (PDT)
Received: from perceval.babelouest.org (perceval.babelouest.org [IPv6:2001:41d0:8:bc0f::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A1A43A1492 for <txauth@ietf.org>; Sun, 20 Jun 2021 06:16:21 -0700 (PDT)
Received: from [192.168.1.50] (bras-base-qubcpq0634w-grc-13-70-50-158-193.dsl.bell.ca [70.50.158.193]) by perceval.babelouest.org (Postfix) with ESMTPSA id 14BD71FF1C for <txauth@ietf.org>; Sun, 20 Jun 2021 09:16:16 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=babelouest.org; s=mail; t=1624194977; bh=gYHTLbqHG3LVmSHVhnJm1JCnhostxl3ZvMO7/vRympY=; h=To:References:From:Subject:Date:In-Reply-To:From; b=rz108cPCG+hz2FuVQK9IT5y5BKEC/8Kxe78JFoidxlPmmNTR/b0q5B/B7Zuj8hsmU JCj/y8jIMgpl6Grynzkc4mNFruXmPYZO80SdtRLv8PRD9MEoeBl0if7ezg2dJ3LuCz K1rkkiCt0MgZXvUr/UNQwdKm4b30PjNRpNDaoFLd0FcBWqkCQlOKDCEfYjGTnLn/+m 1PrOQjoLxhYVOkLMCAm2oTxxo1AEu+3oci5E5UGgiiyy64PJdMX1A1E1Gzo80OYYYB hOWoI4vt52Gw0GsCV/YSrAF8gY2pPd2d/sDMbAJ1EznCp2kUztLeysaI6BxxnwCDyN anzbTh845MEQQ==
To: txauth@ietf.org
References: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
From: Nicolas Mora <nicolas@babelouest.org>
Autocrypt: addr=nicolas@babelouest.org; keydata= xsFNBFmJqr8BEADBhkCFzusIdcIn8V8+Maee1V+GhD/sNS/GuqDL5WwVlrdv6TDrEiiIGvX7 6fs+F1/wP9z/8P2QVm6pxZG+MGpARmWyYkMyklMpqjuXN8JMutjAM9ymouEtVcb3CV20AgXU 7Qe1M2Dofmg4waRM5vHsLI0gvARgo5Rxxc+DoKS8GApE2nbXB8imFLJ48L1FnDVbQWpIW+mz O7dtMY6XQkpvqtRkYrEfxvVDHD06fG4SIzVF8QL1iiRHncG+5u24AU1FxKxxFNYUTcQxCQZ5 JNHsANmgsWCcheEL15B0eDYrJ7jDPaGiN2Ullh4csO9zlYyfWA84I4CGi3En5C69M7uvOxvy g7LL9GsrAaH51ksR1ksDH41OMSBVkeLSpU8RPudy8bpIsGXNtqpAOFjhGoJz6POggY/HmAJe qRDF1HfjPFFm3dZ7E0dLR0aPvxTwuzIERRcjKrzMqslLTjgOVUXSfjhCtWPmcRbwCHWR2k/i cho20wnEVJsVrbNld/0fMvxenrWSmuwawnDHTSwK5Sy5ec2JQy6qvQ2zJIYrdg0eHur/sURi SbAyNmfoOII9GBTAFm13XkHWbBysppGQVAyowYO2h0JC+6MVxQRndBsCC4jRNiT9wptl4rOh o4GYW4d/smGlCbki/bYdSItbtk4rjHAyl+WYM6Jpy1sZXe7SDQARAQABzSVOaWNvbGFzIE1v cmEgPG5pY29sYXNAYmFiZWxvdWVzdC5vcmc+wsF3BBMBCAAhBQJZiaq/AhsDBQsJCAcCBhUI CQoLAgQWAgMBAh4BAheAAAoJEP6CE5RAvSK5ZTkP/3PN+SPKLKOcgG/C3ZI9KxM93y4AKZ0z UCBtr2QJDt8viFKq3jPsSo6+Rw1UuY2oDx4wWUXqlsp3NKnvoKWMip6UVVH0XB48iLe4Tiu0 PVqIfHB/MIdE/QSYLFZzX0n4AgTlrho7Hd+S7TZMtf15FKF4/8y5lLVXK86cbZhaOEPcJyb9 taT4IVkU5M22aNfuZAUjexeCsn/em4pjEyREilht8Fo9tND9Nr/w2SOJNAKWZp+JlKR1ok3z sFvEN5rAEsdA9gvQ/5ubs8iXM0KfBHLa0wp/YWRLRrDFoCEqrkZdBetGxJn4G+wNdhb4TTsX HTfb/0Je179uF2jcFawr/DhJb/bKJUB236u2+0e53QufYq8brBqA4aONDCfOVAHVNjazruCK Wli2E2lHvJLVQeFkBP2Mo9IiWO8uNdXpK5QUjcipW5t6fxN1beNzJdZLiHVjjVKskVueoLDY tHt0TzPY75I6Bgy/oRz5e1sP6UjYsZs5+ZUFOw7Zii5kXcPDrhXb1sEd9ZvB4f9XdvxtE91h aUz9EW63XIvsUYsnjqdTznojBVeLVVnZJKp3RlWFw0o0xT90JuOkA5Pw8oL0GpBRA9vaPi1p hs2DCbCRe/U188HkNmhiH1C9dY+J/4h8IvicjIgTI0+27FPFxp6nMlkH4OgjUHZrbvE9E8Sr zonrzsFNBFmJqr8BEADrI5lstjLaS6IXxH37GWvfPLdjLyTFK5kJqyZkhGNMWHmwmRU3BVrz 0M0Tva/a3Z1B+fXJGzKevQhKMBsrpYhkbKkbMg7vreiWhZjQyy5nvbKA4aMhZ1ckmYWExOk2 QiUpTDoLDBN7VEZG+FV9Hw5ZVeH1k5LnbIxxxIGdzK1mxcCBgJodvzHsp1SZefVIKBKLH+y+ scAZDbnDfSUo/1pPgruogskpg67XrtDP/mZxgf7GB0wlrQrrJt9eBuCD5NXIjtl8KvEIPKTx AlYf/Gu8ZCuu0cwHLl/79WUH6wT35XByAsBMtuG8dHDidj50/XkpP2L6GE52KYTNoQVv5XoA IzpuwXDxcTML0JjE1EKAfRFeyuuiMncX9dgtRdJGMgN/4HYzIiSvWsjYkgVUFrh/ZlENbE6D hy4NLqDEBQb5RMIWrO7VVaAKosRysY72G3Z1FmS2m2dPAlNNLGHESlcLp3nwnNFFneQif4Kf 1ZdFMZJCy8D6n+TbuZmY8eMC624Ot5h18an0yBWFE8E/XU4yQR6savhhinY1Yc4EKjcNiP4c Trphh4cE7XgMitX+0yc1D9s7umuiBdqw9VAsyA20NfLZCMxieiGYcgda1WPA5V7jQc3m8G+C Jyg762Tb3XyPGBPy4TDfghpw1RqYf8wYAi8e74wKHck/uAP6R1lc7wARAQABwsFfBBgBCAAJ BQJZiaq/AhsMAAoJEP6CE5RAvSK5Y4AP/Rb0F2lmB6uDu66BhCYX7Z2hcnt4/LZK1hYb6fRO 3mnW8XClntYOGbKoAGAQDS3PrIx2EJkUr5FiWMpnneQPcwfNuL7VlSqlcFfwN+kkjTcsIjrw 3KMgGNbjjQ83jCUzidyQ4eg18AKKaxb0NrA8UNRTvtK0ozSThxnzLZ20nu/mU9NJhcMVx2Qz IEUiJK5ag3uXli/r52ILle5Wq9LPxjPEsl0oGlqNMGcCZLr20tHXm0XLrSVEenWKL8hjaEud PNdcKMLBWVsp0VIS/di1fsQgwhuJ9C+fwhtqaGsL5DsKDYhrUo1iKi4avX0f8IdzenQSKFso Jf+t+kHIm5/ZdZ8jMN081RznIvz8p8BxWOzbg+BZCCkOIsCxypmU9WgMMJ3hXgRa2OIhQZQ3 AnBc/U843uU/7HVRMhd4efzjNw/v1joDd4KEJEHnS/jT/s9jxEyikOtQW9otJBLgZpoEG+9R FCKPu4TV8RB9kZCHOM5lwSwq7CIwwVltF1pMRokm6X7lyclZ4iCEtfZAM6ZuvN/fh1GbIJxf t+hIWqDPiG9bPtoXZMArUi1zCaSmFdzba/15+P+B3EyaadYiSjVn9WBhe6syxZ8WYo0ehvJE e42BLGcGRcQl+l2Jt57D3FPDYYJEUkl72sGhhKbrg4YBVfCoWuchD0wXvR9ARXtLK5H4
Message-ID: <d1967b45-cb8e-27df-02e8-2a521dadf31b@babelouest.org>
Date: Sun, 20 Jun 2021 09:16:13 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <EFDB08A5-51F5-4261-A6E8-A718D07937E5@mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="5kc5pInPSxaZ9Jwrv5A4ZT5Ro9fBTOEOE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/_ZkGUbypG1RE2p19hGn60A-lhX4>
Subject: Re: [GNAP] Signature Methods
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jun 2021 13:16:27 -0000

Hello,

Le 2021-06-15 à 13 h 49, Justin Richer a écrit :
> 
> Proposed to keep:
> 
> - HTTP Method Signatures: general purpose mechanism, being defined in HTTP WG. Can be bound to symmetric and asymmetric keys. Usable for native, web, and SPA clients. Suggested MTI for the AS (but not mandatory to use) for interoperability. Side note, possible use for AS to sign responses (but not explored here yet — that’s another topic).
> 
> - Mutual TLS: based on OAuth MTLS, ties the keys at the TLS layer to the application protocol (GNAP).
> 
> 
[...]
> 
> This leaves the two JWS based methods, detached and attached. Since attached JWS depends on the detached JWS method to handle body-less requests like GET, DELETE, OPTIONS, etc., if we remove the detached method then we have to remove both. The methods could be pulled to an extension, left in core, or removed entirely.
> 
> The editors would appreciate feedback on this proposal, including specific feedback on the JWS methods from implementors who are targeting them.
> 
If I may, I'd like to keep the detached and attached methods in GNAP.

The attached method is easy to understand and implement, you have 
zillions of JOSE implementations in various languages and contexts, and 
from the point of view of the client, the detached method looks like this:

- step 1: build the request as a JSON object
- step 2: serialize a JWS in compact mode using the private key
- step 3: send the request to the AS

This makes it simple to implement on both sides, also, the signing and 
encryption capabilities adds a pretty good security layer to the request.

Also, this methods allows client without a secret or a private key, such 
as the public clients in OAuth2, because one can build an unsigned JWS.

If GNAP only uses HTTP Message Signing and Mutual TLS, it may be harder 
to implement, therefore lead to less implementation and adoption.

I wasn't there at that time but I've read that OAuth1 and SAML had this 
problem, and OAuth2 was made to avoid too much complexity.

/Nicolas