Re: [http-auth] Associating URI-based identities with HTTP requests

Manu Sporny <> Sun, 12 May 2013 18:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1120221F86F4 for <>; Sun, 12 May 2013 11:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.178
X-Spam-Status: No, score=-6.178 tagged_above=-999 required=5 tests=[AWL=4.421, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id deFLqvik0Nli for <>; Sun, 12 May 2013 11:38:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 90C1421F86F0 for <>; Sun, 12 May 2013 11:38:36 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1Ubb9l-0005bX-CO for; Sun, 12 May 2013 18:38:01 +0000
Resent-Date: Sun, 12 May 2013 18:38:01 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1Ubb9f-0005Zz-LL for; Sun, 12 May 2013 18:37:55 +0000
Received: from [] ( by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1Ubb9e-0004j9-O3 for; Sun, 12 May 2013 18:37:55 +0000
Received: from [] by with esmtp (Exim 4.72) (envelope-from <>) id 1Ubb9H-0003ZM-Gr; Sun, 12 May 2013 14:37:33 -0400
Message-ID: <>
Date: Sun, 12 May 2013 14:37:25 -0400
From: Manu Sporny <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Michael Thomas <>
CC: HTTP WG <>, HTTP Auth WG <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.062, RDNS_NONE=1.274
X-W3C-Scan-Sig: 1Ubb9e-0004j9-O3 7f88a0ad532cf951e07d94213a3a24b7
Subject: Re: [http-auth] Associating URI-based identities with HTTP requests
Archived-At: <>
X-Mailing-List: <> archive/latest/17954
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 05/10/2013 03:23 PM, Michael Thomas wrote:
> is an email address, it has the property that it is
> globally unique as well as the property that if you put use it as an
> email address for an rfc x82[1|2] message, it will deliver email to
> me.

This is closer to the purpose than the 'identifier' just being unique.

> 102398019380984051850923405120948102801831234092843812304 on the
> other hand, it a (statistically) unique identity. It doesn't have 
> any other meaning beyond its (assumedly) uniqueness factor.

The types of identifiers that we want to use could be used w/ another
RFC/REC. For example, the Web Payments work at the W3C will use the

To assert the ownership of multiple keys. For example, do this:


You will see a set of 'publicKey's associated with identity. So, as long
as a message can be verified using any one of those public keys, you can
assert that the owner of the public key is that identity.

> The way I like to think of "accounts" with this is to think not in
> terms of a signature asserting ownership of some account identifier
> (email address, local handle, etc, etc), but rather that a set of one
> or more public keys is bound to a given account regardless of what
> the human factors name is (eg, username). That is, the identity that
> is asserted is the public key, nothing more, nothing less. It's up to
> the account server's logic to bind the relationships together (eg, in
> its users table), not the client side.

You can also go from the key to the owner of the key, for example, do this:


You can see that the key has an owner, who is:

However, using purely the key ID assumes that the key ID can always be
discovered in all HTTP Requests. This is not always the case. For
example, if the requestor has already authenticated via a cookie, but
has multiple identities associated w/ the cookie, then it would be
impossible to determine which identity they want to use when requesting
a certain operation on the server.

In short, we don't want to tightly couple the identity scheme with the
authentication or authorization scheme.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch