W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 25 Jul 2012 20:27:52 -0400
Message-ID: <CAMm+LwjoQ54qJ_uO7ra5WQXUnhK6M2Me25_-=aaKjyyONWdCFw@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Those are good questions.

I guess it depends very much on what type of intermediary is involved
and whether it is a proxy type object or something 'transformational'.
In the first case the URI is going to be the same, in the second it is
going to change.

So when I design a protocol, I don't actually use the URI at all. My
server dispatch methods cannot see it, and that is exactly what I want
as I don't want the dispatcher to see anything other than the
authenticated data and the credential it is validated against.


If I wanted to pass parameters in the URI then I would make the
authentication token one of the parameters. But seriously, I never saw
the virtue of squashing your whole protocol into the request URI.

The URI line is very limited though, only 1024 bytes. Which means that
any serious service has to use url/form encoding as an option at the
very least. If you are going to pass content in the body of the
message then why not use the JSON encoding in both directions and save
some work?


As far as security goes, the model is rather different between
symmetric and asymmetric key.

With a public key protocol, the message is signed and anyone can check
the signature. This creates opportunity for endless subversion issues
as commands intended for one recipient are redirected to another. I
actually try to avoid using signatures for this very reason unless I
am writing a protocol where that is the requirement.

With a symmetric key protocol the authentication and thus the command
is inherently bound to the keys at both ends.


On Wed, Jul 25, 2012 at 8:04 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
>> > 3) HTTP security controls should only secure content.
>> > Signing headers is not only difficult, it is often counterproductive.
>> > If a Web service depends on information in a header
>> > there is probably something wrong.
>
> What about the URI?
> What about the method (GET, POST, DELETE...)?
>
> Only protecting the body only works for RPC-style web services in which every request is a POST to a single API endpoint (eg POST /api/ HTTP/1.1). Even then the body needs to have an "audience" field that is likely to repeat the host (or URI).
>
> HTTP/2 needs to support REST APIs, where the method and URI are crucial parts.
>
>> > From these I draw the following conclusions:
>> >
>> > * HTTP 2.0 should draw a distinction between routing headers and
>> >   content meta-data
>
> +1
> Though I suspect there are lots of headers where this distinction is not crystal clear.
>
>> > * HTTP encryption and authentication are necessary independent of TLS
>> >   support
>
> --
> James Manger



-- 
Website: http://hallambaker.com/
Received on Thursday, 26 July 2012 00:28:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 00:28:26 GMT