IETF Logo Mail Archive

Re: [http-auth] First draft of HTTP Signatures published

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 12 May 2013 13:23 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD2F21F8607 for <http-auth@ietfa.amsl.com>; Sun, 12 May 2013 06:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vN47QubuMRbD for <http-auth@ietfa.amsl.com>; Sun, 12 May 2013 06:22:59 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id BC07E21F8E66 for <http-auth@ietf.org>; Sun, 12 May 2013 06:22:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C7942BE51; Sun, 12 May 2013 14:22:32 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2039oSgyp4f; Sun, 12 May 2013 14:22:28 +0100 (IST)
Received: from [10.87.48.11] (unknown [86.45.51.1]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D511BBE49; Sun, 12 May 2013 14:22:28 +0100 (IST)
Message-ID: <518F9794.6080905@cs.tcd.ie>
Date: Sun, 12 May 2013 14:22:28 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130404 Thunderbird/17.0.5
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <518D3C8B.3080807@digitalbazaar.com> <14CD3EC8-7302-4D8E-8575-1400352C7465@checkpoint.com>
In-Reply-To: <14CD3EC8-7302-4D8E-8575-1400352C7465@checkpoint.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: HTTP Auth WG <http-auth@ietf.org>
Subject: Re: [http-auth] First draft of HTTP Signatures published
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 May 2013 13:23:03 -0000

Yoav,

On 05/12/2013 04:37 AM, Yoav Nir wrote:
> Hi Manu
> 
> The HTTP-Auth working group is chartered to work on a very specific set of documents. OTOH, the WebSec working group is considering adopting a work item for session continuation. Session continuation is supposed to be a replacement for authorizing requests via session cookies. See the problem statement here:
> 
> http://tools.ietf.org/html/draft-williams-websec-session-continue-prob-00
> 
> If I understand correctly, your draft is aiming to solve that issue. So you might prefer to take your draft there.

Fair points. But I do think some discussion of the differences between
Manu's proposal and HOBA on this list might be beneficial before any
conclusion as to IETF WG venue etc are reached.

In  addition I think Manu regards his scheme as a primary user
authentication scheme and not as a session continuation scheme which
again argues for discussing it here.

The above discussion will be more useful when we've posted the rev
of HOBA, which will be in the next few days.

Cheers,
S. (as participant, of course;-)





> Yoav Nir (as co-chair of both groups)
> 
> On May 10, 2013, at 9:29 PM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
>> The HTTP Signatures spec is a digital signature mechanism for the HTTP
>> protocol. It adds origin authentication, message integrity, and replay
>> resistance to HTTP requests. This is useful for any application that
>> currently depends on Basic, Digest, OAuth, or OAuth2 authentication when
>> performing RESTful HTTP calls.
>>
>> Basically, if a client needs to prove to a server that it sent an
>> HTTP-based message, it can digitally sign that message. This spec
>> defines exactly how that happens.
>>
>> This spec will be used by the Web Payments / PaySwarm / Web Keys work at
>> W3C. We're going to combine the public/private key-based signature
>> mechanism defined in HTTP Signatures with the public key infrastructure
>> system as defined in Web Keys to provide an easy way for nodes on the
>> Internet to verify their identity to other nodes on the Internet.
>>
>> The first draft of this spec was just published via the Internet
>> Engineering Task Force (IETF) earlier today:
>>
>> http://tools.ietf.org/html/draft-cavage-http-signatures-00
>>
>> You can also find a datetime-stamped version of the spec here:
>>
>> https://payswarm.com/specs/ED/http-signatures/2013-05-04/
>>
>> The latest version of the spec can be found on the PaySwarm specs page:
>>
>> https://payswarm.com/specs/
>>
>> -- manu
>>
>> -- 
>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>> Founder/CEO - Digital Bazaar, Inc.
>> blog: Meritora - Web payments commercial launch
>> http://blog.meritora.com/launch/
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org
>> https://www.ietf.org/mailman/listinfo/http-auth
>>
>> Email secured by Check Point
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth
> 
>

v2.23.0 | Report a Bug | By Email