Hi Justin
IMHO it would be useful to consider dropping body hashes and simply
using JWS filters to convert the body to/from JWS compact or even JSON
on the fly.
I recall there was some conversation before. People do want to stream
the data end to end in today's web services. The idea of hashing the
payload (even if it is arguably a 'small' payload such as 50-60k) won't
fly in many productions but only in the demos.
JWS Compact is designed to support streaming, and even JWS JSON can do
the streaming on the way out. Of course the final payload, especially if
it is JWS compact, won't be easy to analyze when it is on the wire, but
JWS JSON with base64url disabled can help. The filters will need to
recreate the original body but it is the same with for ex GZIP.
The headers/queries hash can be linked to the signed body as a JWS
header and thus protected too...
Not sure if it is convincing...
Cheers, Sergey
On 03/02/16 22:30, [email protected] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of
the IETF.
Title : A Method for Signing HTTP Requests for OAuth
Authors : Justin Richer
John Bradley
Hannes Tschofenig
Filename : draft-ietf-oauth-signed-http-request-02.txt
Pages : 13
Date : 2016-02-03
Abstract:
This document a method for offering data origin authentication and
integrity protection of HTTP requests. To convey the relevant data
items in the request a JSON-based encapsulation is used and the JSON
Web Signature (JWS) technique is re-used. JWS offers integrity
protection using symmetric as well as asymmetric cryptography.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-02
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth