/blog/2012/12/17/http-signatures-with-content-hmac/index.html
HTML | 146 lines | 105 code | 40 blank | 1 comment | 0 complexity | 103c7dbc73c46d20530146b30b846f72 MD5 | raw file
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
- <head>
- <title>HTTP Signatures with Content-HMAC :: Jeff Lindsay
- </title>
-
- <meta name="description" content="" />
-
- <meta name="author" content="Jeff Lindsay" />
- <script type="text/javascript" src="/scripts/jquery-1.7.2.min.js"></script>
- <link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css" />
- <link href="http://fonts.googleapis.com/css?family=VT323" rel="stylesheet" type="text/css" />
- <link rel="stylesheet" type="text/css" href="/style/bootstrap.min.css" />
- <link rel="stylesheet" type="text/css" href="/style/pager.min.css" />
- <link rel="stylesheet" type="text/css" href="/style/alerts.min.css" />
- <link rel="stylesheet/less" type="text/css" href="/style/progrium.less" />
- <link rel="shortcut icon" type="image/x-icon" href="/images/JeffLindsayDeluxe.png" />
- <script type="text/javascript" src="/scripts/less-1.3.0.min.js"></script>
- <link rel="me" href="http://www.google.com/profiles/progrium" />
- <link rel="alternate" type="application/atom+xml" href="/blog/atom.xml" title="Jeff's Blog" />
- </head>
- <body>
- <div id="header">
- <div class="container">
- <div id="tree"></div>
- <h2><a href="/" title="Pragmatic idealist. Builder. Thought explorer."><span>Jeff Li</span>nds<span>ay</span></a></h2>
- <ul>
- <li><a href="/blog">Blog</a></li>
- <li><a href="http://github.com/progrium">Projects</a></li>
- <!--li>Blueprints</li-->
- <li><a href="/about.html">About</a></li>
- <li id="hire"><a href="mailto:progrium+hire@gmail.com">Hire Me</a></li>
- </ul>
- </div>
- </div>
- <div id="content">
- <div class="container">
- <div class="sidebar">
- <div class="portrait">
- <img src="/images/JeffLindsayDeluxe.png" width="150" height="150" />
- </div>
- <div class="button"><a href="/blog/atom.xml">Subscribe to Blog</a></div>
- <h6>Related Posts</h6>
- <ul>
-
- <li><a href="/blog/2014/02/06/the-start-of-the-age-of-flynn">The Start of the Age of Flynn</a></li>
-
- <li><a href="/blog/2013/11/13/viewdocs-hosted-markdown-project-documentation">Viewdocs: Hosted Markdown project documentation (finally!)</a></li>
-
- <li><a href="/blog/2013/08/18/hacker-dojo-community-trading-zone">Hacker Dojo: Community Trading Zone</a></li>
-
- <li><a href="/blog/2013/06/19/dokku-the-smallest-paas-implementation-youve-ever-seen">Dokku: The smallest PaaS implementation you've ever seen</a></li>
-
- <li><a href="/blog/2013/01/05/executable-tweets-and-programs-in-short-urls">Executable Tweets and Programs in Short URLs</a></li>
-
- <li><a href="/blog/2013/01/01/where-did-localtunnel-come-from">Where did Localtunnel come from?</a></li>
-
- <li><a href="/blog/2012/12/25/localtunnel-v2-available-in-beta">Localtunnel v2 available in beta</a></li>
-
- <li><a href="/blog/2012/12/15/avoiding-environmental-fallacy-with-systems-thinking">Avoiding environmental fallacy with systems thinking</a></li>
-
- <li><a href="/blog/2012/12/06/async-http-responses-with-response-redirection">Async HTTP Responses with Response Redirection</a></li>
-
- <li><a href="/blog/2012/11/26/x-callback-header-an-evented-web-building-block">X-Callback Header: Evented Web Building Block</a></li>
-
- </ul>
- </div>
- <div class="article">
- <div class="date">
- <span class="month">Dec</span>
- <span class="day">17</span><br />
- <span class="year">2012</span>
- </div>
- <h1><a href="/blog/2012/12/17/http-signatures-with-content-hmac">HTTP Signatures with Content-HMAC</a></h1>
- <p>Today I wanted to propose another header. It would be used for signing HTTP content with HMAC, and is appropriately called Content-HMAC. In <a href='http://progrium.com/blog/2012/11/26/x-callback-header-an-evented-web-building-block/'>a previous post</a> about the Callback header, I mentioned using an X-Signature header in callback requests to sign the payload of the callback. It looked like this:</p>
- <pre><code>X-Signature: sha1=<hexdigest of sha1 hmac></code></pre>
- <p>The HMAC would be built with just the content of the request (i.e., no headers, no query params) and a secret key. <a href='http://pubsubhubbub.googlecode.com/svn/trunk/pubsubhubbub-core-0.3.html#authednotify'>This was borrowed directly from the PubSubHubbub spec</a>, but the general idea of using HMAC to sign callback requests has become pretty standard in the world of webhooks. Here are details on how <a href='http://code.google.com/p/support/wiki/PostCommitWebHooks#Authentication'>Google</a> and <a href='http://www.twilio.com/docs/security#validating-requests'>Twilio</a> use them.</p>
- <p>Each of these providers is using their own header for basically the same use case. It would seem like there is an opportunity to standardize on a common header format for it. There’s been a number of proposals for a general Signature header to sign an entire request. There was a fairly comprehensive one proposed called <a href='http://tools.ietf.org/html/draft-burke-content-signature-00'>Content-Signature</a>. With signing, the difficulty is often getting the input string correct. Most signing mechanisms need to normalize their input. If you’ve ever had to deal with OAuth or AWS signatures, you’ll know what I’m talking about. With request signing, the headers pose a particularly tricky situation with signing since they often change as the request goes through proxies.</p>
- <p>The idea of Content-HMAC is to focus on a simpler goal of signing just the content payload, since it’s normally treated as-is, and is not altered when going through proxies. The X-Signature proposal I had was a decent one, as is almost any cowpath-based proposal, but I realized it would probably be a good idea to limit the implied scope to what it’s really doing: providing an HMAC for request (or response) content.</p>
- <p>It turns out there’s a similar header that’s not used that often anymore called Content-MD5. It was a simple mechanism to provide an MD5 digest of the content. My current proposal is to take this existing pattern and apply it to HMAC, giving us the Content-HMAC header:</p>
- <pre><code>Content-HMAC: <hash mechanism> <base64 encoded binary HMAC></code></pre>
- <p>Here’s an example:</p>
- <pre><code>Content-HMAC: sha1 f1wOnLLwcTexwCSRCNXEAKPDm+U=</code></pre>
- <p>This proposal borrows its naming convention from Content-MD5, but the format is more similar to Authorization. The Authorization header allows multiple authorization schemes to be used. You define the scheme followed by a space and then the actual authorization data. Since HMAC allows different hashing techniques to be used, we use that pattern here to let you specify the hashing technique. We also take the existing pattern of base64 encoding used in several HTTP headers to make it conform even more to existing standards.</p>
- <p>Content-HMAC was created for callback requests, but it’s a useful way to sign any HTTP request or response payload. For requests, it’s worth mentioning it only applies when there is a content payload, so for example it’s meaningless with GET requests.</p>
- <p>It’s also very worth mentioning that the need for content signing is unnecessary when using HTTPS. It currently looks like the future will eventually be 100% SSL encrypted HTTP, but until then, there will always be situations where HTTPS is not available. Content-HMAC is perhaps a stop-gap until we reach that ideal. Until then, I think Content-HMAC is a good, standard way to add authorization to callback requests.</p>
- <p>Let me know if you have any questions or feedback on this proposal. Further discussion is likely to happen on the <a href='https://groups.google.com/forum/#!forum/webhooks'>Webhooks Google Group</a>.</p>
- </div>
- <hr />
- <div id="disqus_thread"></div>
- <script type="text/javascript">
- /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
- var disqus_shortname = 'progrium'; // required: replace example with your forum shortname
- /* * * DON'T EDIT BELOW THIS LINE * * */
- (function() {
- var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
- dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js';
- (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
- })();
- </script>
- <noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
- <a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
- </div>
- <div id="roots">
- <img src="/images/roots.png" />
- </div>
- </div>
- <script type="text/javascript">
- var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
- document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
- </script>
- <script type="text/javascript">
- try {
- var pageTracker = _gat._getTracker("UA-6824126-1");
- pageTracker._trackPageview();
- } catch(err) {}</script>
- </body>
- </html>