[Openid-specs-fapi] [E] Re: HTTP Signing
Hjelm, Bjorn
bjorn.hjelm at verizonwireless.com
Fri Jan 29 03:05:26 UTC 2021
Dave,
For what it's worth, I'm interested in continuing this work.
BR,
Bjorn
On Wed, Jan 13, 2021 at 7:00 AM Dave Tonge via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> Just bumping this to people's inboxes.
> If you are interested in this work continuing in the FAPI WG, please reply
> to this thread.
>
> Thanks
>
> Dave
>
> On Sat, 9 Jan 2021 at 05:49, Anders Rundgren via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> On 2021-01-08 23:33, Brian Campbell wrote:
>> > It's definitely more than just the claims as it uses and extends DPoP
>> including the HTTP header that carries the DPoP JWT proof.
>>
>> I got that. My question was rather related to the DPoP protocol like:
>> https://tools.ietf.org/html/draft-ietf-oauth-dpop-02#section-5
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Doauth-2Ddpop-2D02-23section-2D5&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=DVkn78K-1WlWBNpVEGvk90LDGLIuVJ0d0ifs3zGV8Dw&e=>
>>
>> From what I deduct see the draft can be used in any context and that is
>> good :)
>>
>> Anders
>>
>> >
>> > A slight modification to part of Dave's description might be helpful:
>> >
>> > /This specification is an extension to DPoP that supports the following
>> >
>> > 1. I*nclusion of a digest of the HTTP body as a claim in the DPoP
>> proof *
>> > 2. Using DPoP proofs in HTTP responses
>> > 3. Allowing a signed HTTP response to be cryptographically linked to
>> a signed HTTP request/
>> >
>> >
>> > On Wed, Jan 6, 2021 at 11:17 PM Anders Rundgren via Openid-specs-fapi <
>> openid-specs-fapi at lists.openid.net <mailto:
>> openid-specs-fapi at lists.openid.net>> wrote:
>> >
>> > Hi Dave,
>> >
>> > I would like the draft to clearly state that it only uses DPoP
>> claims rather than the DPoP protocol.
>> > Or is this assertion is wrong? If so, I'm obviously confused :(
>> >
>> > Thanx,
>> > Anders
>> >
>> > On 2021-01-06 16:15, Dave Tonge via Openid-specs-fapi wrote:
>> > > Dear WG
>> > >
>> > > The FAPI2 Advanced spec requires a mechanism for HTTP signing.
>> > >
>> > > Brian and I have worked on the following spec based on DPoP that
>> could be used to enable this:
>> > >
>> > >
>> https://bitbucket.org/openid/fapi/src/581a0350bca97240f104fa27f4e9f0d9d851aab0/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_581a0350bca97240f104fa27f4e9f0d9d851aab0_Financial-5FAPI-5FSimple-5FHTTP-5FMessage-5FIntegrity-5FProtocol.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=yu4Vn06yaBto6TKtp9jXD27fpzRpGdhcxruEpM36KNw&e=>
>> <
>> https://bitbucket.org/openid/fapi/src/581a0350bca97240f104fa27f4e9f0d9d851aab0/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_581a0350bca97240f104fa27f4e9f0d9d851aab0_Financial-5FAPI-5FSimple-5FHTTP-5FMessage-5FIntegrity-5FProtocol.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=yu4Vn06yaBto6TKtp9jXD27fpzRpGdhcxruEpM36KNw&e=>>
>> <
>> https://bitbucket.org/openid/fapi/src/581a0350bca97240f104fa27f4e9f0d9d851aab0/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_581a0350bca97240f104fa27f4e9f0d9d851aab0_Financial-5FAPI-5FSimple-5FHTTP-5FMessage-5FIntegrity-5FProtocol.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=yu4Vn06yaBto6TKtp9jXD27fpzRpGdhcxruEpM36KNw&e=>
>> <
>> https://bitbucket.org/openid/fapi/src/581a0350bca97240f104fa27f4e9f0d9d851aab0/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_src_581a0350bca97240f104fa27f4e9f0d9d851aab0_Financial-5FAPI-5FSimple-5FHTTP-5FMessage-5FIntegrity-5FProtocol.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=yu4Vn06yaBto6TKtp9jXD27fpzRpGdhcxruEpM36KNw&e=>>>
>> (SHIMP)
>> > > There has been some discussion in this issue <
>> https://bitbucket.org/openid/fapi/issues/309/decision-on-message-signing-for-fapi-2
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_issues_309_decision-2Don-2Dmessage-2Dsigning-2Dfor-2Dfapi-2D2&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=H-gmJHplA4mvS6DNG8SbjbyM08NAxaEaGAwlo5Brsx8&e=>
>> <
>> https://bitbucket.org/openid/fapi/issues/309/decision-on-message-signing-for-fapi-2
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_issues_309_decision-2Don-2Dmessage-2Dsigning-2Dfor-2Dfapi-2D2&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=H-gmJHplA4mvS6DNG8SbjbyM08NAxaEaGAwlo5Brsx8&e=>
>> >>
>> > >
>> > > I'll provide some more info below, but my ask of the WG is:
>> > >
>> > > *Should the FAPI WG adopt this document as a WG draft and start
>> working on it?*
>> > >
>> > > I would be grateful for any feedback. If there is not support to
>> work on such a spec within the WG then we can leave it and potentially in
>> FAPI2 advanced require http signing but without specifying the method to
>> use.
>> > >
>> > > ---
>> > >
>> > > Here is an overview of the spec from the intro:
>> > >
>> > > /The OAuth working group at the IETF has defined the DPOP
>> standard which "enables a client to demonstrate proof-of-possession of a
>> public/private key pair by including a DPoP header in an HTTP request".
>> DPOP specifies a way for a client to sign a proof which contains claims for
>> the HTTP method and URI. The specification allows DPoP proofs to be
>> extended to protect additional HTTP data.
>> > >
>> > > This specification is an extension to DPoP that supports the
>> following
>> > >
>> > > 1. Signing a digest of the HTTP body data
>> > > 2. Using DPoP proofs in HTTP responses
>> > > 3. Allowing a signed HTTP response to be cryptographically
>> linked to a signed HTTP request
>> > >
>> > > The aim of this specification is to provide a simple,
>> interoperable method of signing HTTP requests and responses. By utilizing
>> DPOP (which itself utilizes the JOSE suite of standards) and DIGEST there
>> is no need for custom canonicalization rules. The DPoP proof is a simple
>> self-contained JWT and is therefore simple to verify./
>> > > ----
>> > >
>> > > I personally think that the ability to have a standards based
>> approach to link the request and response for http signing will be
>> important for the non-repudiation use-case.
>> > >
>> > > Issues with other solutions:
>> > >
>> > > 1. Draft Cavage - custom (error prone) canonicalization and
>> algorithm specification
>> > > 2. OBE / ETSI - same problem as Cavage, but with the addition of
>> a strange use of detached JWS for signing caoniclisated http headers rather
>> than the body
>> > > 3. Detached JWS (used by OB UK) - only signs the body, requires
>> custom JWT header claims
>> > >
>> > > In contrast SHIMP has these advantages:
>> > > - uses simple JWTs, easy to implement, interoperable
>> > > - no need for custom JWT header claims
>> > > - no error-prone canonicalization
>> > >
>> > > I look forward to receiving your feedback.
>> > >
>> > > Dave
>> > >
>> > >
>> > > Moneyhub Enterprise is a trading style of Moneyhub Financial
>> Technology Limited which is authorised and regulated by the Financial
>> Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the
>> Financial Services Register (FRN 809360) at https://register.fca.org.uk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__register.fca.org.uk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=MDOvuSMX5HKVDgDa8YoZfCwClvYe3Cn8eKQV0dc14fs&e=>
>> <https://register.fca.org.uk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__register.fca.org.uk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=MDOvuSMX5HKVDgDa8YoZfCwClvYe3Cn8eKQV0dc14fs&e=>>
>> <https://register.fca.org.uk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__register.fca.org.uk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=MDOvuSMX5HKVDgDa8YoZfCwClvYe3Cn8eKQV0dc14fs&e=>
>> <https://register.fca.org.uk/
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__register.fca.org.uk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=MDOvuSMX5HKVDgDa8YoZfCwClvYe3Cn8eKQV0dc14fs&e=>>>.
>> Moneyhub Financial Technology is registered in England & Wales, company
>> registration number 06909772. Moneyhub Financial Technology Limited 2020 ©
>> Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1
>> 6EA.
>> > >
>> > > DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Moneyhub Financial Technology Limited or of any other group
>> company.
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Openid-specs-fapi mailing list
>> > > Openid-specs-fapi at lists.openid.net <mailto:
>> Openid-specs-fapi at lists.openid.net>
>> > > http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=>
>> <http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=>
>> >
>> > >
>> >
>> > _______________________________________________
>> > Openid-specs-fapi mailing list
>> > Openid-specs-fapi at lists.openid.net <mailto:
>> Openid-specs-fapi at lists.openid.net>
>> > http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=>
>> <http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=>
>> >
>> >
>> >
>> > /CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you./
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=>
>>
>
>
> --
> Dave Tonge
> CTO
> [image: Moneyhub Enterprise]
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.google.com_url-3Fq-3Dhttp-253A-252F-252Fmoneyhubenterprise.com-252F-26sa-3DD-26sntz-3D1-26usg-3DAFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=HNtaFZapB7lr_9uMhsoUyyzZjq-YtXi7dTW0YDlp7Dk&e=>
> t: +44 (0)117 280 5120
>
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at fca.org.uk/register
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__fca.org.uk_register&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=H4ZbPBICM4wPvGw1gTCP13pygQGhSXSxO2lcxyKIPb4&e=>.
> Moneyhub Financial Technology is registered in England & Wales, company
> registration number 06909772 .
> Moneyhub Financial Technology Limited 2018 ©
>
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> company.
>
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at https://register.fca.org.uk/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__register.fca.org.uk_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=MDOvuSMX5HKVDgDa8YoZfCwClvYe3Cn8eKQV0dc14fs&e=>.
> Moneyhub Financial Technology is registered in England & Wales, company
> registration number 06909772. Moneyhub Financial Technology Limited 2020 ©
> Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1
> 6EA.
>
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> company.
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwICAg&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=UPgNVLwA3qIV4okAgS2Q93CXiEi_kZTocDC8nDbPYDk&s=u7iPssUi8AfOYoAZq-O0Tv10iJClUVCkYD35pvepdgQ&e=
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210128/38e5526b/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list