Re: Web Keys and HTTP Signatures

Manu Sporny <msporny@digitalbazaar.com> Thu, 18 April 2013 17:25 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36D421F9385 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVuj4OKg9m4O for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:25:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 220D621F8F58 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 10:25:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USsZN-0005Xs-8Z for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 17:24:25 +0000
Resent-Date: Thu, 18 Apr 2013 17:24:25 +0000
Resent-Message-Id: <E1USsZN-0005Xs-8Z@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsZJ-0005VD-WC; Thu, 18 Apr 2013 17:24:22 +0000
Received: from [216.252.204.51] (helo=mail.digitalbazaar.com) by maggie.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsZI-0003HI-VS; Thu, 18 Apr 2013 17:24:21 +0000
Received: from zoe.digitalbazaar.com ([192.168.0.99] ident=msporny) by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsYv-0005Iv-S4; Thu, 18 Apr 2013 13:23:57 -0400
Message-ID: <51702C2C.6030504@digitalbazaar.com>
Date: Thu, 18 Apr 2013 13:23:56 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Carsten Bormann <cabo@tzi.org>
CC: Martin Thomson <martin.thomson@gmail.com>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
References: <516F14E1.5040503@digitalbazaar.com> <9DF0F237-62DC-4E82-A545-B09C6083849B@tzi.org> <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C90E93E@WSMSG3153V.srv.dir.telstra.com> <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com> <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
In-Reply-To: <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=216.252.204.51; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.065, RDNS_NONE=1.274
X-W3C-Scan-Sig: maggie.w3.org 1USsZI-0003HI-VS d5246bb19e617139cf20efb7a9e6a5f2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/51702C2C.6030504@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17340
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 04/18/2013 04:11 AM, Carsten Bormann wrote:
>> It seems like a simple fix would be to include the list of headers
>> under the signature as the first item.
> 
> Obviously.
> 
> The reason I didn't give this fix is that this just amounts to
> handing out more rope.
> 
> It seems to me the community may not have the resources to come up
> with a secure spec on their own. I'd rather motivate them to spend
> some quality time with security experts than just throw "fixes"  for
> the immediately obvious problems over the wall, somehow hoping nobody
> will find the deeper ones.

Carsten, this particular response is not helpful because:

1. You seem to be claiming to have knowledge about the proposed fix that
   makes it seem like the solution is a dead-end, yet you don't
   elaborate upon the claim.
2. You seem to be insinuating that there are deeper problems with the
   HTTP Signatures approach without expanding upon what those may be.
3. You make an appeal to authority (re: the "security experts" will be
   able to help.) without knowing who wrote the specifications,
   who is reading this thread and commenting elsewhere, nor who has
   already reviewed the specifications.

The reason we sent the initial message out was because we wanted
feedback from various communities, including the "security experts"
whoever those people may be. Responses like the one you make above don't
actually help us identify issues in the protocol or approach that are
being taken. I know that you probably did not mean to come across as
condescending or patronizing, but you have.

I'd like us to focus on technical issues and helping each other rather
than the sort of exchange above.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/