Re: Web Keys and HTTP Signatures

Nico Williams <nico@cryptonector.com> Mon, 08 July 2013 00:23 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF0921F9CE9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Jul 2013 17:23:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.962
X-Spam-Level:
X-Spam-Status: No, score=-5.962 tagged_above=-999 required=5 tests=[AWL=4.015, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YX8BA1jYlo3f for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Jul 2013 17:22:59 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 647B421F9DAD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Jul 2013 17:22:58 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UvzDq-0006ek-9t for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Jul 2013 00:22:30 +0000
Resent-Date: Mon, 08 Jul 2013 00:22:30 +0000
Resent-Message-Id: <E1UvzDq-0006ek-9t@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UvzDh-0006cY-Bk; Mon, 08 Jul 2013 00:22:21 +0000
Received: from caiajhbdcbhh.dreamhost.com ([208.97.132.177] helo=homiemail-a33.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1UvzDg-0000jZ-Iq; Mon, 08 Jul 2013 00:22:21 +0000
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id 8FC58594062; Sun, 7 Jul 2013 17:21:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=DP17sGQhNKMnsXjcjiiv /xuTQWc=; b=S5aoUroVZkM6q5iyqaa+hytuHfGm27T371oi0j3igWbezcwVYvvB R60OMV4Z/LLxm9W9g2mGq989Rhmk/hal0ExKLWwpbQME+pKmfY6fHbdhDOTNYZUz cbKUdww3IzTGQ/+JKXf4oRiEgUQDMWFhr1lQmwgEj+6Ey/PxYQIPvMo=
Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id 0CEDE594059; Sun, 7 Jul 2013 17:21:58 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id n57so3245462wev.0 for <multiple recipients>; Sun, 07 Jul 2013 17:21:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=la7lPS8XLmFLQrRl3MWDeiztV4/mTwfOTrrB3T1tMes=; b=VMyQD9cTboUgCtDP/J1zOwBxFunz8uyGgzBZeg2+tJ0HjiCVFDfWSpgCER5pKtq7Sw ynR+UC+2KRU97KIE2sJXgCDxroL/havNc8WepSga3qfFj4J2GdgF4BuY9Lufm/WWahBy dWqvLE4XoCz+xV+12YIufY2EZG0gEfiGhNbBFO1VBvJyjRYE73nTOAZvRNuxPsgE2muK 56Gwi/I70blRAHO+Tfwb+ZKH0Gs2im70jSm6sDIk9CtkvR6z4/S5+3BXoFAvAzR14VvA 4kFkgOxWZGwU5PEICTfwuGqV/NYrg1t0fqUXyy14WuqiBWttbmpBixc1iSOX8O6QDDG2 M3fw==
MIME-Version: 1.0
X-Received: by 10.194.7.137 with SMTP id j9mr11101844wja.11.1373242917280; Sun, 07 Jul 2013 17:21:57 -0700 (PDT)
Received: by 10.216.152.73 with HTTP; Sun, 7 Jul 2013 17:21:57 -0700 (PDT)
In-Reply-To: <516F14E1.5040503@digitalbazaar.com>
References: <516F14E1.5040503@digitalbazaar.com>
Date: Sun, 7 Jul 2013 19:21:57 -0500
Message-ID: <CAK3OfOiXOx=Xj+iDNb5afcadCExowojiBJb7JB-_OHJ6rg5dVg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org, websec@ietf.org
Content-Type: text/plain; charset=UTF-8
Received-SPF: none client-ip=208.97.132.177; envelope-from=nico@cryptonector.com; helo=homiemail-a33.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-2.499, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1UvzDg-0000jZ-Iq 073eb3d6579bea34cc5c23a0353407f4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/CAK3OfOiXOx=Xj+iDNb5afcadCExowojiBJb7JB-_OHJ6rg5dVg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18633
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

In the IETF Websec WG we call the use of MACs to bind requests (and
responses) to sessions: "session continuation".

There have been... many specific proposals and even deployed
protocols, like yours.

We really do need a standard method for session continuation.

Session continuation is predicated on having a session key already
exchanged, possibly by an authentication mechanism.  We'd like to
separate the two things: session continuation on the one hand, and key
exchange (and authentication) on the other.

If your protocol is mature enough it might well be the one we should
adopt.  I urge you to subscribe to websec@ietf.org and help us :)

Nico
--