Re: [apps-discuss] [http-auth] Web Keys and HTTP Signatures

Michael Thomas <> Sun, 21 April 2013 22:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6508721F8606; Sun, 21 Apr 2013 15:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q1yQ54p36+FC; Sun, 21 Apr 2013 15:28:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B17F721F85EE; Sun, 21 Apr 2013 15:28:04 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id r3LMRsFN005687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 21 Apr 2013 15:27:56 -0700
Message-ID: <>
Date: Sun, 21 Apr 2013 15:27:50 -0700
From: Michael Thomas <>
User-Agent: Thunderbird (X11/20080501)
MIME-Version: 1.0
To: Manu Sporny <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4113; t=1366583277; x=1367447277; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[http-auth]=20Web=20Keys=20and=20HTTP=2 0Signatures |Sender:=20 |To:=20Manu=20Sporny=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=8ZBasjG/AvuJPxLUB+9nYO6kLTbXp5GcSKFuh6Y3aWE=; b=g3Nj4eog5rEx1C3Pn/riVYayUxMpTVYuVAk6a65IcA2kVQLHvEHK15lhfl oeLUlWyVWf1r0ht0PGkvhlqjuHVz5uv0LibdZ7jFk/JYFKT1lbxUE1+0ZysA BoqFJrlLrSdSWfz2gCWEdsPWDCxuG1qJjLwv22w9BjUHwW1uKQoM8=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
X-Mailman-Approved-At: Mon, 22 Apr 2013 00:17:56 -0700
Cc: IETF Apps Discuss <>, IETF HTTP Auth <>, Web Payments CG <>, Mark Cavage <>
Subject: Re: [apps-discuss] [http-auth] Web Keys and HTTP Signatures
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Apr 2013 22:28:05 -0000

Manu Sporny wrote:

> The Javascript implementation of HOBA is also
> a hack in that it shoves authentication parameters into the URL and we
> /definitely/ don't want a Web where that becomes the norm. If this stuff
> is going to be integrated into the browser, we should not create a
> solution that makes it difficult for that to happen.

Um, HOBA-js is just client server protocol. It is completely normal and expected
for a web site to define the url parameters coming from the client. There's nothing
magical about signature parameters. The one thing that would need to be mentioned is
that there is no significance to the parameter names -- there would be no iana
registry or anything like that. The client and server would just need to agree
to their names and functionality which is nothing different than any other parameter.

 > The server would get the key:
> curl -H "Accept: application/ld+json"
> look for the owner of the key in the data, which would be:
> fetch that profile:
> curl -H "Accept: application/ld+json"
> and then see if it has that identity on record as having an account on
> the server. If it does, then it would verify that the key is owned by
> the profile and check the validity of the signature.

I don't know whether this is relevant, but HOBA doesn't require third parties.
It's just a get-rid-of-passwords-as-currently-deployed scheme. As such, it
doesn't require 3rd party trust, somebody else's business model, etc. Just drop
hoba in and deprecate passwords being stored on servers. I for one would be happy to
see a spec that limits itself to just the client server problem so that web
sites can get their heads around even that smaller problem without them exploding
when you drag 3rd party complexity in.

> 4.3.  Authentication Phase
> --------------------------
> The last part of the first paragraph and the last 3 paragraphs should
> just say that each topic covered is out of scope. The vast majority of
> this section deals with things that are out of scope for HOBA (and most
> HTTP Auth schemes).
> 4.4.  Logging in on a New User Agent
> ------------------------------------
> The vast majority of this section is out of scope for this spec as well.

I think you might be taking this draft way too literally. At least from my
vantage point, the idea in HOBA for the here and now is to sketch out how
this kind of idea could work, and the discussions about session, etc, is
to illustrate how it might work with real world sites today with real world
session management, etc. That is, you shouldn't read too much normative into
this draft.

> 5.  Using HOBA-js
> -----------------
> I don't understand why HOBA-http cannot be accomplished via JavaScript
> and XHR? Why do you need an entirely different way of encoding the HOBA
> protocol using only URL-based parameters?

The current draft is an amalgamation of two ideas that are generally similar.
I had independently come up with HOBA-js and then noticed Paul and Stephen
working on something similar. My idea was to use javascript+crypto libraries
and do this entirely at the application layer. Obviously webcrypto would be
a huge help, and get rid of dodgy js crypto libraries but it isn't available

This blog post documents what I did.

I actually have a live implementation that does this. FWIW, it uses time stamps instead
of nonces for replay protection.

> Unless I'm missing something, the entirety of this section is at the
> wrong level of abstraction and unnecessary.

It shows that this can be done today, and that it doesn't even require standardization.
The reason I put it out there is because crypto is hard to get right, and even if it
doesn't _require_ standardization, standardization is a good way of getting clueful
eyeballs on would-be crypto deployments.