Re: [apps-discuss] [http-auth] Web Keys and HTTP Signatures
Michael Thomas <mike@mtcc.com> Sun, 21 April 2013 22:28 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6508721F8606; Sun, 21 Apr 2013 15:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1yQ54p36+FC; Sun, 21 Apr 2013 15:28:04 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id B17F721F85EE; Sun, 21 Apr 2013 15:28:04 -0700 (PDT)
Received: from piolinux.mtcc.com (65-172-209-232.dsl.volcano.net [65.172.209.232]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id r3LMRsFN005687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 21 Apr 2013 15:27:56 -0700
Message-ID: <517467E6.5050407@mtcc.com>
Date: Sun, 21 Apr 2013 15:27:50 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Manu Sporny <msporny@digitalbazaar.com>
References: <5170652F.60609@digitalbazaar.com> <5171233D.303@cs.tcd.ie> <51735AD2.9040900@digitalbazaar.com>
In-Reply-To: <51735AD2.9040900@digitalbazaar.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4113; t=1366583277; x=1367447277; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[http-auth]=20Web=20Keys=20and=20HTTP=2 0Signatures |Sender:=20 |To:=20Manu=20Sporny=20<msporny@digitalbazaar.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=8ZBasjG/AvuJPxLUB+9nYO6kLTbXp5GcSKFuh6Y3aWE=; b=g3Nj4eog5rEx1C3Pn/riVYayUxMpTVYuVAk6a65IcA2kVQLHvEHK15lhfl oeLUlWyVWf1r0ht0PGkvhlqjuHVz5uv0LibdZ7jFk/JYFKT1lbxUE1+0ZysA BoqFJrlLrSdSWfz2gCWEdsPWDCxuG1qJjLwv22w9BjUHwW1uKQoM8=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
X-Mailman-Approved-At: Mon, 22 Apr 2013 00:17:56 -0700
Cc: IETF Apps Discuss <apps-discuss@ietf.org>, IETF HTTP Auth <http-auth@ietf.org>, Web Payments CG <public-webpayments@w3.org>, Mark Cavage <mark.cavage@joyent.com>
Subject: Re: [apps-discuss] [http-auth] Web Keys and HTTP Signatures
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Apr 2013 22:28:05 -0000
Manu Sporny wrote: > The Javascript implementation of HOBA is also > a hack in that it shoves authentication parameters into the URL and we > /definitely/ don't want a Web where that becomes the norm. If this stuff > is going to be integrated into the browser, we should not create a > solution that makes it difficult for that to happen. Um, HOBA-js is just client server protocol. It is completely normal and expected for a web site to define the url parameters coming from the client. There's nothing magical about signature parameters. The one thing that would need to be mentioned is that there is no significance to the parameter names -- there would be no iana registry or anything like that. The client and server would just need to agree to their names and functionality which is nothing different than any other parameter. > The server would get the key: > > curl -H "Accept: application/ld+json" https://dev.payswarm.com/i/manu/keys/3 > > look for the owner of the key in the data, which would be: > > https://dev.payswarm.com/i/manu > > fetch that profile: > > curl -H "Accept: application/ld+json" https://dev.payswarm.com/i/manu > > and then see if it has that identity on record as having an account on > the server. If it does, then it would verify that the key is owned by > the profile and check the validity of the signature. I don't know whether this is relevant, but HOBA doesn't require third parties. It's just a get-rid-of-passwords-as-currently-deployed scheme. As such, it doesn't require 3rd party trust, somebody else's business model, etc. Just drop hoba in and deprecate passwords being stored on servers. I for one would be happy to see a spec that limits itself to just the client server problem so that web sites can get their heads around even that smaller problem without them exploding when you drag 3rd party complexity in. > 4.3. Authentication Phase > -------------------------- > > The last part of the first paragraph and the last 3 paragraphs should > just say that each topic covered is out of scope. The vast majority of > this section deals with things that are out of scope for HOBA (and most > HTTP Auth schemes). > > 4.4. Logging in on a New User Agent > ------------------------------------ > > The vast majority of this section is out of scope for this spec as well. I think you might be taking this draft way too literally. At least from my vantage point, the idea in HOBA for the here and now is to sketch out how this kind of idea could work, and the discussions about session, etc, is to illustrate how it might work with real world sites today with real world session management, etc. That is, you shouldn't read too much normative into this draft. > > 5. Using HOBA-js > ----------------- > > I don't understand why HOBA-http cannot be accomplished via JavaScript > and XHR? Why do you need an entirely different way of encoding the HOBA > protocol using only URL-based parameters? The current draft is an amalgamation of two ideas that are generally similar. I had independently come up with HOBA-js and then noticed Paul and Stephen working on something similar. My idea was to use javascript+crypto libraries and do this entirely at the application layer. Obviously webcrypto would be a huge help, and get rid of dodgy js crypto libraries but it isn't available yet. This blog post documents what I did. http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html I actually have a live implementation that does this. FWIW, it uses time stamps instead of nonces for replay protection. > Unless I'm missing something, the entirety of this section is at the > wrong level of abstraction and unnecessary. It shows that this can be done today, and that it doesn't even require standardization. The reason I put it out there is because crypto is hard to get right, and even if it doesn't _require_ standardization, standardization is a good way of getting clueful eyeballs on would-be crypto deployments. Mike
- Re: [apps-discuss] [http-auth] Web Keys and HTTP … Michael Thomas
- Re: [apps-discuss] [http-auth] Web Keys and HTTP … Stephen Farrell
- [apps-discuss] Web Keys and HTTP Signatures Manu Sporny
- Re: [apps-discuss] Web Keys and HTTP Signatures Cyrus Daboo
- Re: [apps-discuss] [http-auth] Web Keys and HTTP … Manu Sporny
- Re: [apps-discuss] [http-auth] Web Keys and HTTP … Stephen Farrell
- Re: [apps-discuss] [http-auth] Web Keys and HTTP … Michael Thomas
- Re: [apps-discuss] Web Keys and HTTP Signatures Manu Sporny