Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-02.txt

Thu, 04 Feb 2016 04:17:22 -0800 

Hi Justin
IMHO it would be useful to consider dropping body hashes and simply using JWS filters to convert the body to/from JWS compact or even JSON on the fly. I recall there was some conversation before. People do want to stream the data end to end in today's web services. The idea of hashing the payload (even if it is arguably a 'small' payload such as 50-60k) won't fly in many productions but only in the demos. 


JWS Compact is designed to support streaming, and even JWS JSON can do 
the streaming on the way out. Of course the final payload, especially if 
it is JWS compact, won't be easy to analyze when it is on the wire, but 
JWS JSON with base64url disabled can help. The filters will need to 
recreate the original body but it is the same with for ex GZIP.



The headers/queries hash can be linked to the signed body as a JWS 
header and thus protected too...


Not sure if it is convincing...

Cheers, Sergey

On 03/02/16 22:30, [email protected] wrote:


A New Internet-Draft is available from the on-line Internet-Drafts directories.
  This draft is a work item of the Web Authorization Protocol Working Group of 
the IETF.

         Title           : A Method for Signing HTTP Requests for OAuth
         Authors         : Justin Richer
                           John Bradley
                           Hannes Tschofenig
        Filename        : draft-ietf-oauth-signed-http-request-02.txt
        Pages           : 13
        Date            : 2016-02-03

Abstract:
    This document a method for offering data origin authentication and
    integrity protection of HTTP requests.  To convey the relevant data
    items in the request a JSON-based encapsulation is used and the JSON
    Web Signature (JWS) technique is re-used.  JWS offers integrity
    protection using symmetric as well as asymmetric cryptography.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-02

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-02


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth




--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to