[Openid-specs-fapi] OpenID/FAPI alternative to draft-cavage-http-signatures

Anders Rundgren anders.rundgren.net at gmail.com
Fri May 10 13:26:27 UTC 2019


On 2019-05-10 15:02, Dave Tonge wrote:
> Hi Anders
> 
> As has been discussed previously, the cavage draft has multiple issues.
> There are already JOSE based solutions to this problem.
> 
> I did a short unconference talk at OSW2019 about this issue, slides here (excuse the typos): https://sec.uni-stuttgart.de/_media/events/osw2019/slides/tonge_-_http_signing.pdf
> 
> While there was some interest in JSON canonicalisation, most people seemed to think that using straight forward JWTs by themselves were the solution to the problem.

The fear of canonicalization seems strong although the current draft imposes very modest requirements:

- JSON Numbers MUST conceptually be treated as IEEE-754 double precision data during parsing/serialization (which also is a generic requirement for being JavaScript compatible).
- JSON Strings MUST (modulo escaping) be treated as immutable during parsing/serialization
The rest is close to trivial.

Regarding SHREQ, it is probably a better idea (as Phillipe Leothaud proposed the other day), putting HTTP header and URI hashes in the JWS Protected Header and reserving the JWS Payload for the actual message (be it detached or not).

Anyway, thanks for the update!

thanx,
Anders

> 
> We've agreed that FAPI should provide some sort of guidance in this area and we have an open issue that I hope to get to soon on this.
> 
> Dave
> 
> 
> 
> 
> On Thu, 9 May 2019 at 07:40, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
> 
>     Dear Chair & List,
> 
>     To me it looks close to ridiculous publicly downplaying https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ without providing an alternative.
> 
>     If nobody within the OpenID community is even interested in this matter, why the concern?
> 
>     Please provide a plan on how to resolve this issue, or simply accept that https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ is the de-facto standard for (at least) Open Banking.  The industry in general (as proven by this case) does not seems to have any major issues with de-facto standards.
> 
>     If OpenID/FAPI intend to wait another year addressing this issue, the de-facto status will be cemented.  Personally I see no problems if that would be the case.  The authors also seem open to input.
> 
>     sincerely,
>     Anders
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 
> 
> 
> -- 
> Dave Tonge
> CTO
> Moneyhub Enterprise <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120
> 
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register <http://fca.org.uk/register>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 .
> Moneyhub Financial Technology Limited 2018 ©
> 
> DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.



More information about the Openid-specs-fapi mailing list