Re: Web Keys and HTTP Signatures
Manu Sporny <msporny@digitalbazaar.com> Thu, 18 April 2013 17:25 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36D421F9385 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVuj4OKg9m4O for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:25:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 220D621F8F58 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 10:25:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USsZN-0005Xs-8Z for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 17:24:25 +0000
Resent-Date: Thu, 18 Apr 2013 17:24:25 +0000
Resent-Message-Id: <E1USsZN-0005Xs-8Z@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsZJ-0005VD-WC; Thu, 18 Apr 2013 17:24:22 +0000
Received: from [216.252.204.51] (helo=mail.digitalbazaar.com) by maggie.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsZI-0003HI-VS; Thu, 18 Apr 2013 17:24:21 +0000
Received: from zoe.digitalbazaar.com ([192.168.0.99] ident=msporny) by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USsYv-0005Iv-S4; Thu, 18 Apr 2013 13:23:57 -0400
Message-ID: <51702C2C.6030504@digitalbazaar.com>
Date: Thu, 18 Apr 2013 13:23:56 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Carsten Bormann <cabo@tzi.org>
CC: Martin Thomson <martin.thomson@gmail.com>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
References: <516F14E1.5040503@digitalbazaar.com> <9DF0F237-62DC-4E82-A545-B09C6083849B@tzi.org> <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C90E93E@WSMSG3153V.srv.dir.telstra.com> <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com> <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
In-Reply-To: <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=216.252.204.51; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.065, RDNS_NONE=1.274
X-W3C-Scan-Sig: maggie.w3.org 1USsZI-0003HI-VS d5246bb19e617139cf20efb7a9e6a5f2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/51702C2C.6030504@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17340
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 04/18/2013 04:11 AM, Carsten Bormann wrote: >> It seems like a simple fix would be to include the list of headers >> under the signature as the first item. > > Obviously. > > The reason I didn't give this fix is that this just amounts to > handing out more rope. > > It seems to me the community may not have the resources to come up > with a secure spec on their own. I'd rather motivate them to spend > some quality time with security experts than just throw "fixes" for > the immediately obvious problems over the wall, somehow hoping nobody > will find the deeper ones. Carsten, this particular response is not helpful because: 1. You seem to be claiming to have knowledge about the proposed fix that makes it seem like the solution is a dead-end, yet you don't elaborate upon the claim. 2. You seem to be insinuating that there are deeper problems with the HTTP Signatures approach without expanding upon what those may be. 3. You make an appeal to authority (re: the "security experts" will be able to help.) without knowing who wrote the specifications, who is reading this thread and commenting elsewhere, nor who has already reviewed the specifications. The reason we sent the initial message out was because we wanted feedback from various communities, including the "security experts" whoever those people may be. Responses like the one you make above don't actually help us identify issues in the protocol or approach that are being taken. I know that you probably did not mean to come across as condescending or patronizing, but you have. I'd like us to focus on technical issues and helping each other rather than the sort of exchange above. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
- Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures David I. Lehn
- RE: Web Keys and HTTP Signatures Manger, James H
- Re: Web Keys and HTTP Signatures Martin Thomson
- Re: Web Keys and HTTP Signatures David I. Lehn
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Amos Jeffries
- Re: Web Keys and HTTP Signatures Daniel Friesen
- Re: Web Keys and HTTP Signatures Stephen Farrell
- Re: Web Keys and HTTP Signatures David Morris
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Ken Murchison
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Nico Williams
- Re: Web Keys and HTTP Signatures Nico Williams