Re: Web Keys and HTTP Signatures

Carsten Bormann <cabo@tzi.org> Thu, 18 April 2013 05:56 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB0621F8F33 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 22:56:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.579
X-Spam-Level:
X-Spam-Status: No, score=-8.579 tagged_above=-999 required=5 tests=[AWL=2.020, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8amCggK-6Fx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 22:56:36 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id D93E621F8F0E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 22:56:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UShnz-0005AD-IC for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 05:54:47 +0000
Resent-Date: Thu, 18 Apr 2013 05:54:47 +0000
Resent-Message-Id: <E1UShnz-0005AD-IC@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1UShnw-000593-R7; Thu, 18 Apr 2013 05:54:44 +0000
Received: from mailhost.informatik.uni-bremen.de ([134.102.201.18] helo=informatik.uni-bremen.de) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1UShnv-0005e8-PM; Thu, 18 Apr 2013 05:54:44 +0000
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.4/8.14.4) with ESMTP id r3I5sDpk013753; Thu, 18 Apr 2013 07:54:13 +0200 (CEST)
Received: from [192.168.217.105] (p548933CC.dip.t-dialin.net [84.137.51.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id 9A0FE3C06; Thu, 18 Apr 2013 07:54:12 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Content-Type: text/plain; charset=iso-8859-1
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com>
Date: Thu, 18 Apr 2013 07:54:11 +0200
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <599A4C36-D3AC-46D5-8DA9-12D1EB9A6B9F@tzi.org>
References: <516F14E1.5040503@digitalbazaar.com> <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com>
To: "David I. Lehn" <dil@lehn.org>
X-Mailer: Apple Mail (2.1503)
Received-SPF: none client-ip=134.102.201.18; envelope-from=cabo@tzi.org; helo=informatik.uni-bremen.de
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-1.725, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UShnv-0005e8-PM 0157a1a418b6c790f488d9e585fa3a64
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/599A4C36-D3AC-46D5-8DA9-12D1EB9A6B9F@tzi.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17325
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Apr 18, 2013, at 02:22, "David I. Lehn" <dil@lehn.org> wrote:

> if you find security issues

Wrong question.

A security spec is worthless if it doesn't establish useful security properties.

The spec needs a good look from people with more security mojo.
(Or maybe it can simply be replaced by one of the more learned attempts under discussion, see
http://www.ietf.org/proceedings/85/minutes/minutes-85-httpauth
http://www.ietf.org/proceedings/86/minutes/minutes-86-httpauth
for some links.)

*Then* you can look at whether you have implemented it correctly.

Grüße, Carsten