Re: Web Keys and HTTP Signatures

Nico Williams <nico@cryptonector.com> Mon, 08 July 2013 00:10 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6002421F8E2A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Jul 2013 17:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okpKrTYlLLsp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Jul 2013 17:10:34 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 77F5821F9F84 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Jul 2013 17:10:33 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uvz04-0008Qy-Gi for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Jul 2013 00:08:16 +0000
Resent-Date: Mon, 08 Jul 2013 00:08:16 +0000
Resent-Message-Id: <E1Uvz04-0008Qy-Gi@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uvyzo-0008I1-H6; Mon, 08 Jul 2013 00:08:00 +0000
Received: from caiajhbdcagg.dreamhost.com ([208.97.132.66] helo=homiemail-a85.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uvyzn-0002DC-8d; Mon, 08 Jul 2013 00:08:00 +0000
Received: from homiemail-a85.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTP id 8B170BC031; Sun, 7 Jul 2013 17:07:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=5/XlK8cAHhWxH0zAEHfU rNBjDEw=; b=X5FtaF5Kytbgz0rW7a5LF7SuuQO29gd1uwAvL9cShugmaehs5tWP EWc1L+SWJVvoiLOrl8seI721NZnDWHrBCMKV80MCLrO2WLjU46QoC2+c68tnazAy 5COSzgzg5LbMH8PqCncXcwpU6ppSqkzGYywunLqkpveaPz0ZaaHJyag=
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 0A8AEBC032; Sun, 7 Jul 2013 17:07:36 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id k10so3433342wiv.5 for <multiple recipients>; Sun, 07 Jul 2013 17:07:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uyHZHt3zfR+cVZcvEm2scprLNVQ31apMh/map866xz8=; b=UFNDi4aQ9zpBVYDrRnlCrOf7fwGpFgp61trhq8/sPWfCiO0P4S8y7OuQ3m7ztEgK7k f6jf0OJhcWISO0y6RcxrYmUc5vkAKc1LFCZq8GE3opA5nqPhp67Ma0NPbUodiSnT4PVU V0/xQhHbZTk+a1nZ3PKAF01lH1b3PeQzC7JLPRbVwocMC1DCNT6RqnM4VifIemuSkStm Lpp6rXJMc9FzalmpYIAgRTyx6u9VSFGVBkMT/c4moHORkpddStzf4Jv1lmXrne3d8ud0 OCZ+kV+Vc8yvdPNe8ugL6R20I1yFlloRuYuTRvUq8ZozOckG9+1S/xISqur2LiaViwjW v0Zg==
MIME-Version: 1.0
X-Received: by 10.180.107.71 with SMTP id ha7mr9935943wib.28.1373242055394; Sun, 07 Jul 2013 17:07:35 -0700 (PDT)
Received: by 10.216.152.73 with HTTP; Sun, 7 Jul 2013 17:07:35 -0700 (PDT)
In-Reply-To: <51701D20.8020901@digitalbazaar.com>
References: <516F14E1.5040503@digitalbazaar.com> <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com> <599A4C36-D3AC-46D5-8DA9-12D1EB9A6B9F@tzi.org> <51701D20.8020901@digitalbazaar.com>
Date: Sun, 7 Jul 2013 19:07:35 -0500
Message-ID: <CAK3OfOio7g0e29oc_oQmpQLVyRGcKtP5z24NGbkPVw8Ak6AsRg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Carsten Bormann <cabo@tzi.org>, Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Content-Type: text/plain; charset=UTF-8
Received-SPF: none client-ip=208.97.132.66; envelope-from=nico@cryptonector.com; helo=homiemail-a85.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-2.499, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1Uvyzn-0002DC-8d e4ceba3dbe8698ffb1629412e8bcef9d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/CAK3OfOio7g0e29oc_oQmpQLVyRGcKtP5z24NGbkPVw8Ak6AsRg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18632
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Apr 18, 2013 at 11:19 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:
>> (Or maybe it can simply be replaced by one of the more learned
>> attempts under discussion, see
>> http://www.ietf.org/proceedings/85/minutes/minutes-85-httpauth
>> http://www.ietf.org/proceedings/86/minutes/minutes-86-httpauth for
>> some links.)
>
> Thanks for the link. We've looked at a number of those before, or
> variants of the approaches. Here's feedback on each:

> [...]
>
> HTTP REST Auth
> http://tools.ietf.org/id/draft-williams-http-rest-auth-03.txt
>
> This was the solution that seemed to be most interesting to the Web Keys
> and Web Payments work. However, it requires quite a bit of state to be
> remembered by the server (the Session URIs). Keeping the state of a
> "session" around isn't desirable. We didn't want there to be a concept
> of logging in and logging out of a website w/ the HTTP Signature stuff.
> We'd rather that sessions are built on top of HTTP Signatures via a HTTP
> header or cookie. Again, if we had to pick a back-up solution, HTTP REST
> Auth seems like it might work for us, but we'd rather not use if we
> don't have to.

State-less servers are also allowed for the REST auth approach.
There's a state cookie (which would have to contain, effectively,
state encrypted in a server-local key).  In a state-less
implementation there's no way to logout of a session persistently, but
that's OK.

I'm pleased that the RESTful approach to authentication is of interest
to you.  Sorry I missed this e-mail!

Nico
--