Web Keys and HTTP Signatures

Manu Sporny <msporny@digitalbazaar.com> Wed, 17 April 2013 21:33 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 273E221E80EC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 14:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 7ULpjRWOHlLM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 14:33:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org []) by ietfa.amsl.com (Postfix) with ESMTP id 6DA6F21E80EB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 14:33:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USZy6-000576-4m for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Apr 2013 21:32:42 +0000
Resent-Date: Wed, 17 Apr 2013 21:32:42 +0000
Resent-Message-Id: <E1USZy6-000576-4m@frink.w3.org>
Received: from lisa.w3.org ([]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZy3-00056D-Cb; Wed, 17 Apr 2013 21:32:39 +0000
Received: from [] (helo=mail.digitalbazaar.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZy2-00047l-Fm; Wed, 17 Apr 2013 21:32:39 +0000
Received: from zoe.digitalbazaar.com ([] ident=msporny) by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZxh-0005JQ-KE; Wed, 17 Apr 2013 17:32:17 -0400
Message-ID: <516F14E1.5040503@digitalbazaar.com>
Date: Wed, 17 Apr 2013 17:32:17 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Web Payments CG <public-webpayments@w3.org>
CC: ietf-http-wg@w3.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.043, RDNS_NONE=1.274
X-W3C-Scan-Sig: lisa.w3.org 1USZy2-00047l-Fm 0803f5f6fe1efab671ba4a8c1f02b542
X-Original-To: ietf-http-wg@w3.org
Subject: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/516F14E1.5040503@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17299
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

We've implemented Joyent's (node.js) HTTP Signature specification using
the public key infrastructure defined by the PaySwarm Web Keys spec.
We're pretty happy with the solution given that this is the third
approach that we've tried to apply to the HTTP request signatures problem.

For those not familiar with Joyent's HTTP Signature specification, it's


The Web Keys (horribly outdated) spec is here:

The modification that has been made to Joyent's spec is to:

1. Use a Web Key URL for the keyId parameter, which changes Joyent's
   solution to depend on a Web-native, decentralized public key
2. Sign the request line, date, and host parameters by default to
   tighten up the default security requirements (to reduce, but not
   eliminate, replay attacks).

What this means is that you can now do signed HTTP requests like GETs on
specific resources in a fairly simple and decentralized way. It also
means that you can use the Web Key information to create an Access
Control List to HTTP-based resources and enforce both authentication and
authorization of GETs/POSTs/etc. in one HTTP call.

This feature has already been integrated into the request HTTP module in


We'll be releasing a few demos of how one can use this authorization
scheme with Web Keys in the next couple of weeks. We expect to integrate
these sorts of HTTP Signatures into the Web Keys specification.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch