W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2019

Re: HTTP Signing

From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 22 Nov 2019 13:55:39 -0800
Message-ID: <CAChr6SyyX895_WNVDGwz+jtGL-n4ksxF-uqzZqzxs1f4jAAB1g@mail.gmail.com>
To: Roberto Polli <robipolli@gmail.com>
Cc: Liam Dennehy <liam@wiemax.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Nov 22, 2019 at 12:48 AM Roberto Polli <robipolli@gmail.com> wrote:

> Hi Rob & co,
> Il giorno ven 22 nov 2019 alle ore 07:05 Rob Sayre <sayrer@gmail.com>
> ha scritto:
> > I saw the "HTTP Signing" presentation in the SECDISPATCH meeting on
> YouTube[1], and it seems like it's going to end up in this WG.
> Interesting thread: the video is at
> https://www.youtube.com/watch?v=CYBhLQ0-fwE&t=3000
> >  I'd like to suggest adopting something very similar to AWSv4.
> iiuc the approach of draft-cavage and signed-exchange is very similar
> and the signed-exchange workgroup made a lot of progresses.
> AWSv4 seems to me quite limited and IMHO if you expand it you'll
> eventually end with
> draft-cavage or http-signatures.

It is quite limited, and imho that's a good thing. The idea Annabelle has
put forth regarding a core signing specification seems like a good idea. In
my mind, that would hopefully build in something similar to AWSv4, while
also allowing others to build more complex and/or flexible features on top
of it.

Unrelatedly: one use case for these features are media uploads. It's pretty
common to break them up into several requests so they can be resumed and
retried at some level of granularity. AWS has some APIs that do this, but
their chunk sizes are quite large. Lots of mobile apps end up building
similar features with much smaller chunk sizes. For these use cases,
signing the payload in a trailer isn't so important, since the chunks are
pretty small anyway.

Received on Friday, 22 November 2019 21:55:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC