- From: Rob Sayre <sayrer@gmail.com>
- Date: Fri, 22 Nov 2019 13:55:39 -0800
- To: Roberto Polli <robipolli@gmail.com>
- Cc: Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAChr6SyyX895_WNVDGwz+jtGL-n4ksxF-uqzZqzxs1f4jAAB1g@mail.gmail.com>
On Fri, Nov 22, 2019 at 12:48 AM Roberto Polli <robipolli@gmail.com> wrote: > Hi Rob & co, > > Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com> > ha scritto: > > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on > YouTube[1], and it seems like it's going to end up in this WG. > Interesting thread: the video is at > https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000 > > > I'd like to suggest adopting something very similar to AWSv4. > iiuc the approach of draft-cavage and signed-exchange is very similar > and the signed-exchange workgroup made a lot of progresses. > AWSv4 seems to me quite limited and IMHO if you expand it you'll > eventually end with > draft-cavage or http-signatures. > It is quite limited, and imho that's a good thing. The idea Annabelle has put forth regarding a core signing specification seems like a good idea. In my mind, that would hopefully build in something similar to AWSv4, while also allowing others to build more complex and/or flexible features on top of it. Unrelatedly: one use case for these features are media uploads. It's pretty common to break them up into several requests so they can be resumed and retried at some level of granularity. AWS has some APIs that do this, but their chunk sizes are quite large. Lots of mobile apps end up building similar features with much smaller chunk sizes. For these use cases, signing the payload in a trailer isn't so important, since the chunks are pretty small anyway. thanks, Rob
Received on Friday, 22 November 2019 21:55:56 UTC