HTTP Signing from Rob Sayre on 2019-11-22 (ietf-http-wg@w3.org from October to December 2019)

From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 21 Nov 2019 22:02:09 -0800
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAChr6SwoGTULzG5jKsEbPRbzb1qK6F-sKT8ArEyQ3BA6T78YAQ@mail.gmail.com>

Hi,

I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on
YouTube[1], and it seems like it's going to end up in this WG. Given the
people that spoke up at the mic, I'd like to suggest adopting something
very similar to AWSv4.

I've implemented the server side of AWSv4 in the past (not at Amazon). The
issues raised about splitting the HTTP request signing from higher-level
concerns are valid. However, I can also tell you that it's possible to use
off-the-shelf AWSv4 client SDKs, make up your own "service" name, and
implement the server side of the protocol. It's not too hard to imagine
what the server code might do if you read the example client code[2].

thanks,
Rob

[1] https://www.youtube.com/watch?v=CYBhLQ0-fwE
[2]
https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html

Received on Friday, 22 November 2019 06:02:25 UTC