Re: Web Keys and HTTP Signatures

Manu Sporny <> Thu, 18 April 2013 17:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B36D421F9385 for <>; Thu, 18 Apr 2013 10:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LVuj4OKg9m4O for <>; Thu, 18 Apr 2013 10:25:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 220D621F8F58 for <>; Thu, 18 Apr 2013 10:25:47 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1USsZN-0005Xs-8Z for; Thu, 18 Apr 2013 17:24:25 +0000
Resent-Date: Thu, 18 Apr 2013 17:24:25 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1USsZJ-0005VD-WC; Thu, 18 Apr 2013 17:24:22 +0000
Received: from [] ( by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1USsZI-0003HI-VS; Thu, 18 Apr 2013 17:24:21 +0000
Received: from ([] ident=msporny) by with esmtp (Exim 4.72) (envelope-from <>) id 1USsYv-0005Iv-S4; Thu, 18 Apr 2013 13:23:57 -0400
Message-ID: <>
Date: Thu, 18 Apr 2013 13:23:56 -0400
From: Manu Sporny <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Carsten Bormann <>
CC: Martin Thomson <>, Web Payments CG <>, " Group" <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.065, RDNS_NONE=1.274
X-W3C-Scan-Sig: 1USsZI-0003HI-VS d5246bb19e617139cf20efb7a9e6a5f2
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <>
X-Mailing-List: <> archive/latest/17340
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 04/18/2013 04:11 AM, Carsten Bormann wrote:
>> It seems like a simple fix would be to include the list of headers
>> under the signature as the first item.
> Obviously.
> The reason I didn't give this fix is that this just amounts to
> handing out more rope.
> It seems to me the community may not have the resources to come up
> with a secure spec on their own. I'd rather motivate them to spend
> some quality time with security experts than just throw "fixes"  for
> the immediately obvious problems over the wall, somehow hoping nobody
> will find the deeper ones.

Carsten, this particular response is not helpful because:

1. You seem to be claiming to have knowledge about the proposed fix that
   makes it seem like the solution is a dead-end, yet you don't
   elaborate upon the claim.
2. You seem to be insinuating that there are deeper problems with the
   HTTP Signatures approach without expanding upon what those may be.
3. You make an appeal to authority (re: the "security experts" will be
   able to help.) without knowing who wrote the specifications,
   who is reading this thread and commenting elsewhere, nor who has
   already reviewed the specifications.

The reason we sent the initial message out was because we wanted
feedback from various communities, including the "security experts"
whoever those people may be. Responses like the one you make above don't
actually help us identify issues in the protocol or approach that are
being taken. I know that you probably did not mean to come across as
condescending or patronizing, but you have.

I'd like us to focus on technical issues and helping each other rather
than the sort of exchange above.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch