Re: HTTP Message Signatures (RFC 9421) and Registering SSH as a HTTP Signature Algorithm? from Justin Richer on 2024-02-16 (public-credentials@w3.org from February 2024)

From: Justin Richer <jricher@mit.edu>
Date: Fri, 16 Feb 2024 13:59:22 +0000
To: Manu Sporny <msporny@digitalbazaar.com>
CC: Christopher Allen <ChristopherA@lifewithalacrity.com>, Annabelle Backman <richanna@amazon.com>, W3C Credentials CG <public-credentials@w3.org>, Wolf McNally <wolf@wolfmcnally.com>, Shannon Appelcline <shannon.appelcline@gmail.com>
Message-ID: <44DE8B12-AEB6-4565-B68A-62F2BB87CB74@mit.edu>

I will caveat that I don’t believe that an I-D on its own (especially a non-WG I-D) constitutes a "permanent" document as required by Specification Required — but that’s a decision with IANA and the DE’s, which as Manu pointed out haven’t been formally assigned as of yet. I would expect it to be the document authors, at least to start, and I’ll follow up with IANA about that.

Also, please note that there are specific requirements for registering an algorithm identifier in the registry, detailed here:

https://www.rfc-editor.org/rfc/rfc9421.html#name-signature-algorithms

You need to lay out how your signing algorithm maps to the inputs and outputs of both HTTP_SIGN and HTTP_VERIFY functions, which includes all the bits and encodings and whatnot.

Finally, I want to point out that you don’t need to register an algorithm to use it with this RFC. Your implementation can just be configured to use it directly, or signal through some other means like a higher level protocol. The only restraint is that you don’t use the "alg" parameter to signal at runtime what the algorithm is, which isn’t recommended anyway because of algorithm downgrade attacks and other potential bug cases.

— Justin
— Justin

On Feb 15, 2024, at 9:25 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:

On Wed, Feb 14, 2024 at 7:41 PM Christopher Allen
<ChristopherA@lifewithalacrity.com> wrote:
What would be involved in registering ssh? The spec says "specification required" but I've found in the past it is never just as simple as internet-draft specification and an IANA submission. Is this a working group decision, or is it "assigned expert" who they delegate the registry decisions to? (the latter is what is actually required for "specification required" CBOR tags). Do you know how that might work or who the "assigned experts" might be?

Here's the definition of "specification required":

https://www.rfc-editor.org/rfc/rfc8126.html#section-4.6

and the current registry:

https://www.iana.org/assignments/http-message-signature/

... and "Provisional" registration is easier than you might think it
is. Here is the section on doing a provisional registration for an
HTTP Signature Algorithm:

https://www.rfc-editor.org/rfc/rfc9421.html#section-6.2

So, basically:

1. Write a spec and follow the advice about what the "DE" (Designated
Expert) is going to check for in the section linked to above.

2. Publish the document as an I-D (or other stable location that we
can link to).

3. Request "Provisional" registration.

To get an "Active" registration, you'll need to do more work
(effectively achieving an RFC w/ multiple implementations, or (at the
very least) convincing the DE that the specification is sufficiently
detailed enough to lead to interoperable implementations).

There are currently no Designated Experts listed for the registry
because it just came into existence, but I would imagine they'll make
a call for those in the coming weeks (and at the very least, the
existing spec authors would do that job until others stepped in).

IOW, it feels like there is an easy path, measured in weeks, to
provisional registration for what you want to do.

Did that answer all of your questions, Christopher?

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Friday, 16 February 2024 13:59:29 UTC