Web Keys and HTTP Signatures
Manu Sporny <msporny@digitalbazaar.com> Wed, 17 April 2013 21:33 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 273E221E80EC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 14:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ULpjRWOHlLM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 14:33:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6DA6F21E80EB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 14:33:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USZy6-000576-4m for ietf-http-wg-dist@listhub.w3.org; Wed, 17 Apr 2013 21:32:42 +0000
Resent-Date: Wed, 17 Apr 2013 21:32:42 +0000
Resent-Message-Id: <E1USZy6-000576-4m@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZy3-00056D-Cb; Wed, 17 Apr 2013 21:32:39 +0000
Received: from [216.252.204.51] (helo=mail.digitalbazaar.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZy2-00047l-Fm; Wed, 17 Apr 2013 21:32:39 +0000
Received: from zoe.digitalbazaar.com ([192.168.0.99] ident=msporny) by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USZxh-0005JQ-KE; Wed, 17 Apr 2013 17:32:17 -0400
Message-ID: <516F14E1.5040503@digitalbazaar.com>
Date: Wed, 17 Apr 2013 17:32:17 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Web Payments CG <public-webpayments@w3.org>
CC: ietf-http-wg@w3.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=216.252.204.51; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.043, RDNS_NONE=1.274
X-W3C-Scan-Sig: lisa.w3.org 1USZy2-00047l-Fm 0803f5f6fe1efab671ba4a8c1f02b542
X-Original-To: ietf-http-wg@w3.org
Subject: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/516F14E1.5040503@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17299
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
We've implemented Joyent's (node.js) HTTP Signature specification using the public key infrastructure defined by the PaySwarm Web Keys spec. We're pretty happy with the solution given that this is the third approach that we've tried to apply to the HTTP request signatures problem. For those not familiar with Joyent's HTTP Signature specification, it's here: https://github.com/joyent/node-http-signature/blob/master/http_signing.md The Web Keys (horribly outdated) spec is here: https://payswarm.com/specs/source/web-keys/ The modification that has been made to Joyent's spec is to: 1. Use a Web Key URL for the keyId parameter, which changes Joyent's solution to depend on a Web-native, decentralized public key infrastructure. 2. Sign the request line, date, and host parameters by default to tighten up the default security requirements (to reduce, but not eliminate, replay attacks). What this means is that you can now do signed HTTP requests like GETs on specific resources in a fairly simple and decentralized way. It also means that you can use the Web Key information to create an Access Control List to HTTP-based resources and enforce both authentication and authorization of GETs/POSTs/etc. in one HTTP call. This feature has already been integrated into the request HTTP module in node.js: https://github.com/mikeal/request/commit/95a25580375be1b9c39cc2e88a36a8387395bc13 We'll be releasing a few demos of how one can use this authorization scheme with Web Keys in the next couple of weeks. We expect to integrate these sorts of HTTP Signatures into the Web Keys specification. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
- Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures David I. Lehn
- RE: Web Keys and HTTP Signatures Manger, James H
- Re: Web Keys and HTTP Signatures Martin Thomson
- Re: Web Keys and HTTP Signatures David I. Lehn
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Amos Jeffries
- Re: Web Keys and HTTP Signatures Daniel Friesen
- Re: Web Keys and HTTP Signatures Stephen Farrell
- Re: Web Keys and HTTP Signatures David Morris
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Ken Murchison
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Nico Williams
- Re: Web Keys and HTTP Signatures Nico Williams