IETF Logo Mail Archive

Re: [http-auth] First draft of HTTP Signatures published

Manu Sporny <msporny@digitalbazaar.com> Sun, 12 May 2013 18:15 UTC

Return-Path: <msporny@digitalbazaar.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F8A21F84EF for <http-auth@ietfa.amsl.com>; Sun, 12 May 2013 11:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.758
X-Spam-Level:
X-Spam-Status: No, score=-1.758 tagged_above=-999 required=5 tests=[AWL=-1.263, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xM2wkQ7Dt9lJ for <http-auth@ietfa.amsl.com>; Sun, 12 May 2013 11:15:53 -0700 (PDT)
Received: from mail.digitalbazaar.com (unknown [216.252.204.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3757021F84D4 for <http-auth@ietf.org>; Sun, 12 May 2013 11:15:53 -0700 (PDT)
Received: from [192.168.100.5] by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1UbaoI-00039d-6t; Sun, 12 May 2013 14:15:51 -0400
Message-ID: <518FDC50.9040007@digitalbazaar.com>
Date: Sun, 12 May 2013 14:15:44 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <518D3C8B.3080807@digitalbazaar.com> <14CD3EC8-7302-4D8E-8575-1400352C7465@checkpoint.com>
In-Reply-To: <14CD3EC8-7302-4D8E-8575-1400352C7465@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: HTTP Auth WG <http-auth@ietf.org>
Subject: Re: [http-auth] First draft of HTTP Signatures published
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 May 2013 18:15:57 -0000

On 05/11/2013 11:37 PM, Yoav Nir wrote:
> The HTTP-Auth working group is chartered to work on a very specific
> set of documents. OTOH, the WebSec working group is considering
> adopting a work item for session continuation. Session continuation
> is supposed to be a replacement for authorizing requests via session
> cookies. See the problem statement here:
> 
> http://tools.ietf.org/html/draft-williams-websec-session-continue-prob-00
>
> If I understand correctly, your draft is aiming to solve that issue.
> So you might prefer to take your draft there.

Session management is out-of-scope for the HTTP Signatures spec. It's
true that a session management scheme could be built on top of HTTP
Signatures, but that is a second step. We know that many others are
working on session management right now, and would rather they see if
HTTP Signatures could be useful for them rather than try to shove
session management capabilities into HTTP Signatures.

The HTTP Signatures spec is a fairly simple, straightforward spec as-is.
We'd like to keep it that way. :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

v2.23.0 | Report a Bug | By Email