[Openid-specs-fapi] OpenID/FAPI alternative to draft-cavage-http-signatures

Anders Rundgren anders.rundgren.net at gmail.com
Thu May 9 12:47:36 UTC 2019 

On 2019-05-09 10:34, Philippe Leothaud wrote:
> Hi Anders,
> 

Hi Philippe,

> I'm actually thinking of a way to sign also the request line and selected HTTP Headers using JWS detached signature.
> 
> Basically it would just work by adding this information in the secured JOSE header.

That would of course work just fine!  I would use a format similar to cavage.

The somewhat bigger problem/issue is that it has been claimed (by more than one person), that "ASCII-armoring" is a necessity which effectively eliminates detached data schemes from the plot.

Or maybe you rather meant that only the header/request line information would be detached while the HTTP Body would simply be a compact JWS where JWS Payload=Message coded in Base64Url?  That would of course work great (except for a growing bunch of people who like me do not believe such extreme measures are strictly necessary [*]).

Best
Anders

*] XML didn't need it and it uses a ten times more complex "C14" than required by JSON.  That XML DSig was a total fiasco is IMO quite a stretch.

> 
> Wdyt?
> 
> Thanks,
> 
> Philippe
> 
> Le jeu. 9 mai 2019 à 07:40, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> a écrit :
> 
>     Dear Chair & List,
> 
>     To me it looks close to ridiculous publicly downplaying https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ without providing an alternative.
> 
>     If nobody within the OpenID community is even interested in this matter, why the concern?
> 
>     Please provide a plan on how to resolve this issue, or simply accept that https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ is the de-facto standard for (at least) Open Banking.  The industry in general (as proven by this case) does not seems to have any major issues with de-facto standards.
> 
>     If OpenID/FAPI intend to wait another year addressing this issue, the de-facto status will be cemented.  Personally I see no problems if that would be the case.  The authors also seem open to input.
> 
>     sincerely,
>     Anders
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>

More information about the Openid-specs-fapi mailing list