Re: HTTP Signing from Richard Backman, Annabelle on 2019-11-22 (ietf-http-wg@w3.org from October to December 2019)

From: Richard Backman, Annabelle <richanna@amazon.com>
Date: Fri, 22 Nov 2019 11:10:00 +0000
To: Roberto Polli <robipolli@gmail.com>, Rob Sayre <sayrer@gmail.com>, "Liam Dennehy" <liam@wiemax.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <3827BF1B-C7D7-45F5-833A-07CA72B64A12@amazon.com>

There are some conceptual similarities between AWS Signature Version 4 (SigV4) and draft-cavage-http-signatures. Both signing mechanisms provide some flexibility regarding what protocol elements are covered by the signature, but cavage goes further here. Conversely, SigV4 has more rigorous canonicalization language. Ultimately these two concepts are the key to success here.

I believe the best path is for us to produce a core signing specification that defines signature generation and validation without getting prescriptive about what elements get signed. That can then be profiled (here in http, in oauth, in OpenID FAPI, ...) as needed, with profiles getting more or less prescriptive as is appropriate. That core spec is what I am currently working on, starting from cavage. I hope to have an I-D ready to present to the working group for adoption before the end of this year.

Here are a couple links, in case anyone is interested in learning more about SigV4:
 - Public documentation: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

 - Informational presentation I gave at IETF 105: https://www.youtube.com/watch?v=tUmT5qqlKik&feature=youtu.be&t=6400

– 
Annabelle Richard Backman
AWS Identity

On 11/22/19, 4:52 PM, "Roberto Polli" <robipolli@gmail.com> wrote:

    Hi Rob & co,

    Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com>
    ha scritto:
    > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on YouTube[1], and it seems like it's going to end up in this WG.
    Interesting thread: the video is at
    https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000

    >  I'd like to suggest adopting something very similar to AWSv4.
    iiuc the approach of draft-cavage and signed-exchange is very similar
    and the signed-exchange workgroup made a lot of progresses.
    AWSv4 seems to me quite limited and IMHO if you expand it you'll
    eventually end with
    draft-cavage or http-signatures.

    > I've implemented the server side of AWSv4 [...]
    > it's possible to use off-the-shelf AWSv4 client SDKs, make up your own "service" name, and implement the server side of the protocol
    Understand, though AWS can change that sdk in the future as that's
    tied to their infrastructure.

    > [1] https://www.youtube.com/watch?v=CYBhLQ0-fwE

    > [2] https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html

    Regards,
    R.

Received on Friday, 22 November 2019 12:38:49 UTC