[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures

Anders Rundgren anders.rundgren.net at gmail.com
Wed Mar 13 17:39:01 UTC 2019


On 2019-03-13 18:31, Philippe Leothaud wrote:
> Hi Anders,
> 
> The goal of https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05 is to ensure integrity on HTTP exchanges (i.e. on a request/response pair)
> 
> The main goal of this, as stated in the draft is to have a response to a request "treated as authoritative for that origin, even if it was transferred over a connection that isn't authoritative"
> 
> In short, when you retrieve a response from a cache, you want to be sure that what was cached has not been tampered with
> 
> It's completely different from what we need to achieve in the context of FAPI, and more generally in the context of API security, where we're looking for single message itegrity (be they erquests or responses)
> 
> HTH,

It certainly did!  Thank you!

Regards,
Anders

> 
> Phil
> 
> On Wed, Mar 13, 2019 at 6:13 PM Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
> 
>     On 2019-03-13 17:25, Joseph Heenan via Openid-specs-fapi wrote:
>      > I presume the interoperability issues are solvable one way or another?
>      >
>      > The early reports about OBUK’s signing algorithm seem to be cautiously pessimistic. I’m not sure if OB gave any reasons for not using the IETF cavage draft.
>      >
>      > I know we’ve discussed it before, but it does seem like the FAPI working group should try and favour one standard, which would also allow us to build interoperability/certification tests for that standard. I think the oauth working group feels similarly. Justin Richer pulled together some of the thoughts at IETF 101 ( https://datatracker.ietf.org/meeting/101/materials/slides-101-oauth-sessa-http-signing-00 ) but I’m not sure if the conversation moved on from there.
> 
>     Hi Joseph,
>     thank you for providing this information; it was news to me at least!
> 
>     If https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05 would become "the" HTTP signature standard, we would be in big trouble. I can't even "decipher" it :-(
> 
>     BTW, where does the FAPI signature solution stand standards-wise?
>     https://openid.net/specs/openid-financial-api-part-2.html#request
>     It is not obvious that the FAPI signature solution actually is RESTful; maybe I'm missing something here?
> 
>     Anders
> 
> 
> 
>      >
>      > Perhaps it’s one to put on the agenda for the oauth security workshop face-to-face?
>      >
>      > Joseph
>      >
>      >
> 
> 
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 



More information about the Openid-specs-fapi mailing list