Re: Artart last call review of draft-ietf-httpbis-message-signatures-16 from Justin Richer on 2023-03-15 (ietf-http-wg@w3.org from January to March 2023)

From: Justin Richer <jricher@mit.edu>
Date: Wed, 15 Mar 2023 14:11:28 +0000
To: "Backman, Annabelle" <richanna@amazon.com>
CC: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <48BBCA6E-2163-47DB-9D27-40A1B4794BCF@mit.edu>

I agree with this approach as well. I think part of the problem here is different readings of “security mechanism”. When I see that, I read it as in “this is a piece that does a specific action”, something inherently part of a larger machine. Others seem to be reading this more as “security solution”, which is to say the plans for the whole machine. That was never the intended reading.

 — Justin

> On Mar 15, 2023, at 7:59 AM, Backman, Annabelle <richanna@amazon.com> wrote:
> 
> I agree; we can amend it to explicitly state what this spec does and does not do. This could be reiterated in section 1.4, Application of HTTP Message Signatures.
> 
> —
> Annabelle Backman (she/her)
> 
>> On Mar 14, 2023, at 10:11 PM, Martin Thomson <mt@lowentropy.net> wrote:
>> 
>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>> 
>> 
>> 
>>> On Wed, Mar 15, 2023, at 05:46, Backman, Annabelle wrote:
>>> Note that like HTTP Message Signatures, SigV4 is not a complete
>>> security protocol.
>> 
>> I think that this is an important point that is likely lost on readers of this document.  One that can be fixed, I think, relatively easily.
>> 
>> The framing in the draft pretty much cleaves along the lines of stating that this is a solution, take the introductory sentence from Section 1.4:
>> 
>>> HTTP Message Signatures are designed to be a general-purpose security mechanism applicable in a wide variety of circumstances and applications. In order to ...
>> 
>> A more direct acknowledgment of this limitation might head off the sorts of objections Harald raises.  Perhaps something like:
>> 
>>> HTTP Message Signatures describe a mechanism for signing selected portions of HTTP messages.  This is not intended to be a complete security mechanism; rather, HTTP Message Signatures form a component in a larger system that depends on authenticating messages.  In particular, the choice of which portions of messages are signed will determine what properties might be obtained.  In order to ...
>>

Received on Wednesday, 15 March 2023 14:12:07 UTC