W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2019

HTTP Signing

From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 21 Nov 2019 22:02:09 -0800
Message-ID: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on
YouTube[1], and it seems like it's going to end up in this WG. Given the
people that spoke up at the mic, I'd like to suggest adopting something
very similar to AWSv4.

I've implemented the server side of AWSv4 in the past (not at Amazon). The
issues raised about splitting the HTTP request signing from higher-level
concerns are valid. However, I can also tell you that it's possible to use
off-the-shelf AWSv4 client SDKs, make up your own "service" name, and
implement the server side of the protocol. It's not too hard to imagine
what the server code might do if you read the example client code[2].


[1] https://www.youtube.com/watch?v=CYBhLQ0-fwE
Received on Friday, 22 November 2019 06:02:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC