[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures

Philippe Leothaud philippe.leothaud at 42crunch.com
Wed Mar 13 17:31:55 UTC 2019

Hi Anders,

The goal of
https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05 is
to ensure integrity on HTTP exchanges (i.e. on a request/response pair)

The main goal of this, as stated in the draft is to have a response to a
request "treated as authoritative for that origin, even if it was
transferred over a connection that isn't authoritative"

In short, when you retrieve a response from a cache, you want to be sure
that what was cached has not been tampered with

It's completely different from what we need to achieve in the context of
FAPI, and more generally in the context of API security, where we're
looking for single message itegrity (be they erquests or responses)



On Wed, Mar 13, 2019 at 6:13 PM Anders Rundgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> On 2019-03-13 17:25, Joseph Heenan via Openid-specs-fapi wrote:
> > I presume the interoperability issues are solvable one way or another?
> >
> > The early reports about OBUK’s signing algorithm seem to be cautiously
> pessimistic. I’m not sure if OB gave any reasons for not using the IETF
> cavage draft.
> >
> > I know we’ve discussed it before, but it does seem like the FAPI working
> group should try and favour one standard, which would also allow us to
> build interoperability/certification tests for that standard. I think the
> oauth working group feels similarly. Justin Richer pulled together some of
> the thoughts at IETF 101 (
> https://datatracker.ietf.org/meeting/101/materials/slides-101-oauth-sessa-http-signing-00
> ) but I’m not sure if the conversation moved on from there.
> Hi Joseph,
> thank you for providing this information; it was news to me at least!
> If
> https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05
> would become "the" HTTP signature standard, we would be in big trouble. I
> can't even "decipher" it :-(
> BTW, where does the FAPI signature solution stand standards-wise?
> https://openid.net/specs/openid-financial-api-part-2.html#request
> It is not obvious that the FAPI signature solution actually is RESTful;
> maybe I'm missing something here?
> Anders
> >
> > Perhaps it’s one to put on the agenda for the oauth security workshop
> face-to-face?
> >
> > Joseph
> >
> >
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190313/da710a6c/attachment.html>

More information about the Openid-specs-fapi mailing list