Re: [http-auth] Associating URI-based identities with HTTP requests

Manu Sporny <msporny@digitalbazaar.com> Sun, 12 May 2013 18:38 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1120221F86F4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 May 2013 11:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.178
X-Spam-Level:
X-Spam-Status: No, score=-6.178 tagged_above=-999 required=5 tests=[AWL=4.421, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deFLqvik0Nli for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 May 2013 11:38:36 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 90C1421F86F0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 12 May 2013 11:38:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ubb9l-0005bX-CO for ietf-http-wg-dist@listhub.w3.org; Sun, 12 May 2013 18:38:01 +0000
Resent-Date: Sun, 12 May 2013 18:38:01 +0000
Resent-Message-Id: <E1Ubb9l-0005bX-CO@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1Ubb9f-0005Zz-LL for ietf-http-wg@listhub.w3.org; Sun, 12 May 2013 18:37:55 +0000
Received: from [216.252.204.51] (helo=mail.digitalbazaar.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1Ubb9e-0004j9-O3 for ietf-http-wg@w3.org; Sun, 12 May 2013 18:37:55 +0000
Received: from [192.168.100.5] by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1Ubb9H-0003ZM-Gr; Sun, 12 May 2013 14:37:33 -0400
Message-ID: <518FE165.8060600@digitalbazaar.com>
Date: Sun, 12 May 2013 14:37:25 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Michael Thomas <mike@mtcc.com>
CC: HTTP WG <ietf-http-wg@w3.org>, HTTP Auth WG <http-auth@ietf.org>
References: <518C07DD.2090307@digitalbazaar.com> <403D922E-86CF-4355-BBD2-A05F409C25F7@mnot.net> <518D3D0A.1010207@digitalbazaar.com> <518D491F.6000001@mtcc.com>
In-Reply-To: <518D491F.6000001@mtcc.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=216.252.204.51; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.062, RDNS_NONE=1.274
X-W3C-Scan-Sig: lisa.w3.org 1Ubb9e-0004j9-O3 7f88a0ad532cf951e07d94213a3a24b7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [http-auth] Associating URI-based identities with HTTP requests
Archived-At: <http://www.w3.org/mid/518FE165.8060600@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17954
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 05/10/2013 03:23 PM, Michael Thomas wrote:
> mike@mtcc.com is an email address, it has the property that it is
> globally unique as well as the property that if you put use it as an
> email address for an rfc x82[1|2] message, it will deliver email to
> me.

This is closer to the purpose than the 'identifier' just being unique.

> 102398019380984051850923405120948102801831234092843812304 on the
> other hand, it a (statistically) unique identity. It doesn't have 
> any other meaning beyond its (assumedly) uniqueness factor.

The types of identifiers that we want to use could be used w/ another
RFC/REC. For example, the Web Payments work at the W3C will use the
identifier:

https://dev.payswarm.com/i/manu

To assert the ownership of multiple keys. For example, do this:

curl https://dev.payswarm.com/i/manu

You will see a set of 'publicKey's associated with identity. So, as long
as a message can be verified using any one of those public keys, you can
assert that the owner of the public key is that identity.

> The way I like to think of "accounts" with this is to think not in
> terms of a signature asserting ownership of some account identifier
> (email address, local handle, etc, etc), but rather that a set of one
> or more public keys is bound to a given account regardless of what
> the human factors name is (eg, username). That is, the identity that
> is asserted is the public key, nothing more, nothing less. It's up to
> the account server's logic to bind the relationships together (eg, in
> its users table), not the client side.

You can also go from the key to the owner of the key, for example, do this:

curl https://dev.payswarm.com/i/manu/keys/4

You can see that the key has an owner, who is:

https://dev.payswarm.com/i/manu

However, using purely the key ID assumes that the key ID can always be
discovered in all HTTP Requests. This is not always the case. For
example, if the requestor has already authenticated via a cookie, but
has multiple identities associated w/ the cookie, then it would be
impossible to determine which identity they want to use when requesting
a certain operation on the server.

In short, we don't want to tightly couple the identity scheme with the
authentication or authorization scheme.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/