Re: Artart last call review of draft-ietf-httpbis-message-signatures-16 from Harald Alvestrand on 2023-03-07 (ietf-http-wg@w3.org from January to March 2023)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Tue, 7 Mar 2023 20:43:16 +0100
To: Justin Richer <jricher@mit.edu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <fc560173-d90f-672b-78ac-2d76c660e874@alvestrand.no>

Thanks for the comments on the review!

One particular point, which I think is the most important:

On 3/7/23 18:39, Justin Richer wrote:
>>
>> IF it is possible to:
>> - Describe 2 or more “applications” (in the document’s terminology) 
>> that serve
>> an useful function in securing some part of the ecosystem against some 
>> attack -
>> Implement these functions in a way that exercises a fairly 
>> comprehensive subset
>> of the behaviors mandated in this document - Run the resulting 
>> application in a
>> real environment for some significant period of time, and observe that the
>> number of canonicalization errors resulting in validation failure is
>> insignificant to zero THEN it seems to me reasonable to place this on the
>> standards track.
>>
>> Until then, I think this best belongs as an experimental protocol that 
>> people
>> can implement to gather experience with, not something that the IETF 
>> should
>> publish as a consensus standards-track protocol.
>>
> 
> There are many very real applications from which this draft’s text was 
> distilled over the last few years. The general approach in this document 
> has been in use for well over a decade, in production and at scale, in 
> multiple deployed systems.
> 
> Amazon’s SIGv4 is probably the most well-exercised version of this 
> approach, and it’s still in use today (I can’t speak for Amazon’s plans 
> but they are sponsoring one of the editors to work on this draft): 
> https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html <https://docs.aws.amazon.com/general/latest/gr/signing-aws-api-requests.html>
> 
> The engineers behind this original work at Amazon published their 
> original I-D back in 2013, known as the Cavage draft in the community. 
> This has many implementations in different versions on different 
> systems: 
> https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-00 
> <https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-00>
> 
> One of the bigger ones out there is the Mastodon ecosystem, which uses 
> its own version of the Cavage draft: 
> https://docs.joinmastodon.org/spec/security/#http 
> <https://docs.joinmastodon.org/spec/security/#http>
> 
> As do financial profiles including FAPI, PSD2, and the Berlin Group’s 
> work. This is to say nothing of other efforts out there that have 
> invented or re-invented parts of this specification for their own purposes.
> 

Given the number of current users cited - is it possible to get at least 
one of those to document their approach and why it works for them, in a 
form that we could include at least as an informational reference?

A *lot* of my concerns would be assuaged if we could see a worked 
example of an application using this toolkit.

Harald

Received on Tuesday, 7 March 2023 19:43:31 UTC