You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+39-1Lines changed: 39 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,6 +15,7 @@ the [OpenAPI](https://github.com/OAI/OpenAPI-Specification) (fka Swagger) specif
15
15
*[Share Updating](#update)
16
16
*[Resharing](#reshare)
17
17
*[Invite](#invite)
18
+
*[Signing Request](#signing-request)
18
19
19
20
*[Contributing](#contributing)
20
21
@@ -35,6 +36,8 @@ If a finite whitelist of receiver servers exists on the sender side, then this l
35
36
36
37
When a sending server allows sharing to any internet-hosted receiving server, then discovery can happen from the sharee address, using the `/.well-known/ocm` (or `/ocm-provider`, for backwards compatibility) URL that receiving servers SHOULD provide according to this [specification](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1.well-known~1ocm/get).
37
38
39
+
In the eventuality of a need to confirm the identity of an incoming request, the discovery data SHOULD contain a public key. Each incoming request that requires to origin from an authentified source must be signed in its headers using the related private key.
40
+
38
41
To fill the gap between users knowning other peers' email addresses of the form `user@provider.org`, and the actual cloud storage endpoints being in the form `https://my-cloud-storage.provider.org`, a further discovery mechanism SHOULD be provided by implementations that wish to allow sending shares to any receiver, based on DNS `SRV` Service Records.
39
42
40
43
* A provider SHOULD ensure that a `type=SRV` DNS query to `_ocm._tcp.provider.org` resolves to e.g. `service = 10 10 443 my-cloud-storage.provider.org`
@@ -44,7 +47,7 @@ To fill the gap between users knowning other peers' email addresses of the form
44
47
To create a share, the sending server SHOULD make a HTTP POST request to the `/shares` endpoint of the receiving server ([docs](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1shares/post)).
45
48
46
49
### Share Acceptance
47
-
In response to a share creation, the receiving server MAY send back a [notification](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1notifications/post) to the sending server, with `notificationType` set to `"SHARE_ACCEPTED"` or `"SHARE_DECLINED"`. The sending server MAY expose this information to the end user.
50
+
In response to a share creation, the receiving server MAY send back a [notification](https://cs3org.github.io/OCM-API/docs.html?branch=develop&repo=OCM-API&user=cs3org#/paths/~1notifications/post) to the sending server, with `notificationType` set to `"SHARE_ACCEPTED"` or `"SHARE_DECLINED"`. The sending server MAY expose this information to the end user.
48
51
49
52
### Share Access
50
53
To access a share, the receiving server MAY use multiple ways, depending on the received payload and on the `protocol.name` property:
@@ -87,6 +90,41 @@ If an OCM provider exposes the capability `/mfa-capable`, it indicates that it w
87
90
Since there is no way to guarantee that the sharee OCM provider will actually enforce the MFA requirement, it is up to the sharer OCM provider to establish a trust with the OCM sharee provider such that it is reasonable to assume that the sharee OCM provider will honor the MFA requirement. This establishment of trust will inevitably be implementation dependent, and can be done for example using a pre approved allow list of trusted OCM providers. The procedure of establishing trust is out of scope for this specification: a mechanism similar to the [ScienceMesh](https://sciencemesh.io) integration for the [Invite](#invite) capability may be envisaged.
88
91
89
92
93
+
### Signing request
94
+
95
+
Signing request confirms the identity of the sender but does not encrypt nor affect its payload. A request can be signed by adding metadata to the headers and require a compatible discovery end point to broadcast the public key used to generate the signature.
96
+
97
+
The concept is to add unique metadata and sign them using a private/public key pair.
98
+
The location of the public key used to verify the signature will confirm the origin of the request.
99
+
100
+
Signature does not affect the data of the request, it only adds headers to it:
"Signature": "keyId=\"https://author.hostname/key\",algorithm=\"ras-sha256\",headers=\"content-length date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\""
109
+
}
110
+
```
111
+
112
+
- 'content-length' is the total length of the payload of the request
113
+
- 'date' is the datetime the request have been initiated
114
+
- 'digest' is a checksum of the payload of the request
115
+
- 'host' is the hostname of the recipient of the request (remote when signing outgoing request, local on incoming request)
116
+
- 'Signature' contains the signature generated using the private key, and metadata:
117
+
* 'keyId' is a unique id, formatted as an url. hostname is used to retrieve the public key via custom discovery
118
+
* 'algorithm' define the algorithm used to generate signature
119
+
* 'headers' contains a list of element used during the generation of the signature
120
+
* 'signature' is the encrypted string, using local private key, of an array containing elements
121
+
listed in 'headers' and their value. Some elements (content-length date digest host) are mandatory
0 commit comments