[Openid-specs-fapi] Next step(s) for FAPI?

Anders Rundgren anders.rundgren.net at gmail.com
Thu Oct 10 05:04:18 UTC 2019


As reported by Ralph Bragg, ETSI is also working on a solution to the HTTP signature "enigma":
http://lists.openid.net/pipermail/openid-specs-fapi/2019-September/001550.html

As you may also have heard (way too many times I guess...), I'm working on a universal payment authorization scheme coined Saturn.  This system is heavily based on counter-signed as well as hashed JSON objects.  In an HTTP context this requires that signed requests must be serializable.  In practical terms this means that:
- signatures must either reside in the Body (POST) or in the URL (GET)
- content data must be reproducible in a reliable fashion

A common limitation of all schemes is that signed header data can only be (securely) verified by the receiving server since the data is transient.

Anders

On 2019-10-09 20:32, Mike Jones via Openid-specs-fapi wrote:
> If people want to do HTTP signing, the other alternatives are https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 (which is used in production, despite being expired), the AWS request signing specification <https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html> (which was described in this presentation <https://datatracker.ietf.org/meeting/105/materials/slides-105-oauth-sessa-http-request-signing-in-amazon-web-services-00> at IETF 105, and is extensively used), and the OAuth DPoP spec <https://tools.ietf.org/html/draft-fett-oauth-dpop-02>, which appears to be on track for adoption by the OAuth working group during IETF 106 in November.
> 
> For those of you who aren’t aware of the warning in the Cavage signatures draft <https://tools.ietf.org/html/draft-cavage-http-signatures-11>, it says:
> 
>     WARNING: DO NOT IMPLEMENT THIS SPECIFICATION AND PUSH THE CODE INTO
> 
>     PRODUCTION.  THIS VERSION OF THE SPECIFICATION IS ONLY FOR
> 
>     EXPERIMENTAL IMPLEMENTATIONS.
> 
> It’s my understanding that Mark Cavage has abandoned the specification and believes it should not become a standard.  (At least, that’s how Phil Hunt, also of Oracle, described its status to me.)  So it’s surprising to me that there’s even discussion about resurrecting it, given the other good choices already available.
> 
> I’ll be glad to be on the special FAPI call on this topic.
> 
>                                                         -- Mike
> 
> -----Original Message-----
> From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> On Behalf Of Manu Sporny via Openid-specs-fapi
> Sent: Monday, October 7, 2019 6:55 AM
> To: openid-specs-fapi at lists.openid.net
> Cc: Manu Sporny <msporny at digitalbazaar.com>
> Subject: Re: [Openid-specs-fapi] Next step(s) for FAPI?
> 
>  > Given that Cavage 11 includes the following.
> 
> Hi, my name is Manu Sporny, I'm the primary specification editor for HTTP Signatures (draft-cavage-http-signatures).
> 
>  > The Berlin group and others have had to explicitly reference version
> 
>  >  10 to avoid using a a spec that says “don’t use this”. This doesn’t
> 
>  > leave them a way forward with this draft.
> 
> There is a version 12 that will be published shortly that won't have that text. We placed the text in there to gather feedback from the community before committing to the specification text as the way forward. As you can imagine, there are currently 25 implementations of the specification and we need to be careful about changes to the specification. We were unsure of some of the backwards-compatible changes we made to this version (we're pretty sure we didn't break anything, but wanted to make doubly sure with implementers before we marked the specification as safe to implement in a non-experimental fashion).
> 
> We have published an HTTP Signatures Test Suite to ensure that implementations are actually following the specification:
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c-dvcg%2Fhttp-signatures-test-suite&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=ne6DJsjq9Awjf%2BwRr6iIdFwsNZ9HwdzHEMow4jnv1H0%3D&reserved=0
> 
> It sounds like there is a time sensitivity here... what is it? If there is a time sensitivity, we can accelerate the removal of that text.
> 
>  > I expect that ETSI will look at the desirable properties of the
> 
>  > Cavages draft and try and come up with something that has the same
> 
>  > characteristics.
> 
> This sounds like "we are going to fork the specification"... if you are intending to do that, please don't. There has been tremendous effort placed into getting the spec to where it is, gathering implementations, putting a test suite together, etc. Things that you may feel are unnecessary may result in severe vulnerabilities if removed.
> 
> This is the first I'm hearing about this groups desire to use some variation of the specification. How can we, the people building the HTTP Signatures spec, help?
> 
> -- manu
> 
> --
> 
> Manu Sporny (skype: msporny, twitter: manusporny) Founder/CEO - Digital Bazaar, Inc.
> 
> blog: Veres One Decentralized Identifier Blockchain Launches
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftinyurl.com%2Fveres-one-launches&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=OHr9rXEGMDiLkBYu6IAE9st6ttivdFwdFF2vEJDPlFk%3D&reserved=0
> 
> _______________________________________________
> 
> Openid-specs-fapi mailing list
> 
> Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
> 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-fapi&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313487315&sdata=qHHq2gCckF3Ae8m5Iu3fW%2FohxpFI3ao%2BJMr%2Fbhuqlz4%3D&reserved=0
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> 



More information about the Openid-specs-fapi mailing list