Hi everyone On Tue, Oct 25, 2016 at 3:28 AM, Justin Richer <jric...@mit.edu> wrote:
> The reason that there’s a lot of discussion on headers and query > parameters and not a lot of discussion on the content is that there’s > nothing special for signing the body whether it’s XML or JSON or HTML: it’s > just a hash of the entity body, sent as the “b” parameter in the JWS. The > body is less likely to be transformed than the headers or parameters, and > getting into “how to sign XML” or “how to sign JSON” beyond “just take the > body as a byte array and hash it” is problematic. I don’t think we want to > get into the business of normalization or canonicalization of the message > body. > > Keep in mind that this is all for the HTTP *request* from the client and > not the HTTP *response* from the RS. > > — Justin > > On Oct 24, 2016, at 1:27 PM, Phil Hunt <phil.h...@oracle.com> wrote: > > Rather than focus on headers and URL param signing, focus on specifying > how content is signed in the context of PoP. > > I think there might be a clearer path for example if we new that signing > for application/json and application/xml worked well. > > As we’ve been discussing signing headers and URL params is theoretically > do-able, but it probably has more limited use and would remain experimental. > > Phil > > @independentid > www.independentid.com > phil.h...@oracle.com > > > > > > On Oct 24, 2016, at 1:06 PM, Justin Richer <jric...@mit.edu> wrote: > > You can already sign arbitrary content using a body hash with the current > spec. > > — Justin > > On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.h...@oracle.com> wrote: > > Maybe if we reworked the signing doc so content types like xml and json > could be signed? > > This would cover for the majority of web api cases. > > Wonder what the advice of the http wg would be on this. > > Phil > > On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <sam...@erdtman.se> wrote: > > +1 on doing PoP work in this working group, including HTTP signing/MACing, > I don´t think the old HTTP signature document was that far from useful. > > With the ACE work I like when it is possible to just map work done in the > OAuth and other working groups to the more optimized protocols. Some would > maybe say that it is sub-optimal that the protocol was not initially > designed for the constrained environment but I think the benefit of concept > validation from web is a bigger plus. > > //Samuel > > On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jric...@mit.edu> wrote: > >> I believe that the PoP work should stay in the working group, and that >> without a usable presentation mechanism such as an HTTP message signature >> the whole work is pointless. I agree with Mike that we should learn from >> our own mistakes — and that is precisely the direction that the current >> HTTP signing draft took. As a result, the base level of functionality is >> signing the token itself (with a timestamp/nonce) using the key. All of the >> fiddly HTTP bits that trip people up? Not only are they optional, but it’s >> explicitly declared what’s covered. Why? Because we’re learning from past >> mistakes. >> >> I think that token binding is relying on a lot of “ifs” that aren’t real >> yet, and if those “ifs” become reality then it will be to the benefit of >> large internet companies over everyone else. Additionally, token binding in >> OAuth is far from the simple solution that it’s being sold as. The very >> nature of an access token goes against the original purpose of tying an >> artifact to a single presentation channel. OAuth clients in the real world >> need to be able to deal with multiple resource servers and dynamically >> deployed APIs, and the token binding protocol fundamentally assumes a world >> where two machines are talking directly to each other. >> >> All that said, this working group has consistently shown resistance to >> solving this problem for many years, so the results of this query don’t at >> all surprise me. >> >> — Justin >> >> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig < >> hannes.tschofe...@gmx.net> wrote: >> > >> > Hi all, >> > >> > two questions surfaced at the last IETF meeting, namely >> > >> > 1) Do we want to proceed with the symmetric implementation of PoP or, >> > alternatively, do we want to move it over to the ACE working group? >> > >> > 2) Do we want to continue the work on HTTP signing? >> > >> > We would appreciate your input on these two questions. >> > >> > Ciao >> > Hannes & Derek >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
