Re: Associating URI-based identities with HTTP requests
James M Snell <jasnell@gmail.com> Fri, 10 May 2013 23:44 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233CA21F90BB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 16:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.55
X-Spam-Level:
X-Spam-Status: No, score=-10.55 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y57AJktkkVTM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 16:43:59 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 79FA621F8F28 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2013 16:43:59 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UawyF-00067p-Gt for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2013 23:43:27 +0000
Resent-Date: Fri, 10 May 2013 23:43:27 +0000
Resent-Message-Id: <E1UawyF-00067p-Gt@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1Uawy5-000675-MK for ietf-http-wg@listhub.w3.org; Fri, 10 May 2013 23:43:17 +0000
Received: from mail-ob0-f169.google.com ([209.85.214.169]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1Uawy4-000832-KA for ietf-http-wg@w3.org; Fri, 10 May 2013 23:43:17 +0000
Received: by mail-ob0-f169.google.com with SMTP id tb18so4847869obb.14 for <ietf-http-wg@w3.org>; Fri, 10 May 2013 16:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=H8fbjoMV8O0tPjb3PHnv6Ljie/VNmAww37N5Y70WmU8=; b=qVyVte4SzGHDgguE1kUgNi0fshyXaz+Lp1QDiyQdTraJ+NGKb9tHj5o/7BKNuoahsU /2UVc8E6e7M2sqtNHrmcUdUwem9BcTj7k/AuT8JoOoxuAVJTjXS062U1ktHw4zkc/mSR QxsyDseOyxPkDTihzhbhgmKjLYXKaEflS0MmPuh41rhOI8Aa/jLrgXahWFj1xpLZshkw kv1+fG18mwaoQOrWRSmP5xzf0S5iS/rV+DN09AhDCWhcqMGcqRy75cPvRojLyOcD/Amo xjxFAl4OuxzteO103beL9jfbc5WEscU14o1MqxNA5CL+byfn5tlmAJNvontu7NEHb4n4 HkIw==
MIME-Version: 1.0
X-Received: by 10.60.47.81 with SMTP id b17mr207812oen.63.1368229370712; Fri, 10 May 2013 16:42:50 -0700 (PDT)
Received: by 10.60.3.137 with HTTP; Fri, 10 May 2013 16:42:50 -0700 (PDT)
Received: by 10.60.3.137 with HTTP; Fri, 10 May 2013 16:42:50 -0700 (PDT)
In-Reply-To: <518D3D0A.1010207@digitalbazaar.com>
References: <518C07DD.2090307@digitalbazaar.com> <403D922E-86CF-4355-BBD2-A05F409C25F7@mnot.net> <518D3D0A.1010207@digitalbazaar.com>
Date: Fri, 10 May 2013 16:42:50 -0700
Message-ID: <CABP7RbdpBesOjAXThe3LA8JPLP36xM5CP1Msk_4p-JjuTyEjew@mail.gmail.com>
From: James M Snell <jasnell@gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: HTTP Auth WG <http-auth@ietf.org>, ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="001a11c1fffe9cd88d04dc65b938"
Received-SPF: pass client-ip=209.85.214.169; envelope-from=jasnell@gmail.com; helo=mail-ob0-f169.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.670, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, WEIRD_PORT=0.001
X-W3C-Scan-Sig: lisa.w3.org 1Uawy4-000832-KA e6f7fe8e1fdc739e4decc68044745b95
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Associating URI-based identities with HTTP requests
Archived-At: <http://www.w3.org/mid/CABP7RbdpBesOjAXThe3LA8JPLP36xM5CP1Msk_4p-JjuTyEjew@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17943
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Re: when to use a link header, the rule I follow is fairly basic : if the value consists of a uri that is optionally typed and potentially requires additional metadata, and if you think the link relation will be generally useful in other scenarios (e.g. Atom links, json documents, html tags), then use a link relation. If, on the other hand it is something that only requires a uri with no additional metadata, and you don't care about non-http use cases, use a new header. Based on an initial review of your note, a new header is likely appropriate. On May 10, 2013 11:33 AM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: > bcc: Web Payments mailing list > > We published the HTTP Signatures spec via the IETF a few days ago: > > http://lists.w3.org/Archives/Public/public-webpayments/2013May/0008.html > > That spec allows HTTP messages to be digitally signed. We are also > working on another spec called Web Keys, that allows people to create > identities and refer to them using URLs like: > > https://dev.payswarm.com/i/manu > > You can also publish RSA keys to locations on the Web and refer to them > like this: > > https://dev.payswarm.com/i/manu/keys/4 > > The Web Payments group wanted to pursue updating the HTTP "From:" Header > to allow both e-mail addresses and URLs, so one could do something like > this: > > POST /some/url HTTP/1.1 > Host: example.com > From: https://dev.payswarm.com/i/manu > Authorization: Signature keyId="https://dev.payswarm.com/i/manu/keys/4" > ... > > Effectively, this makes it so that an HTTP request is not only digitally > signed, but also bound to an identity of some sort. This is useful for > the Web Payments work because it allows us to process payments using a > single HTTP request (without introducing state into the HTTP transaction). > > After speaking with Mark Nottingham, he made it clear that this approach > may be difficult to pursue in this group because 'From' is in use and > has fairly well-understood semantics at this point in time. > > We're looking for feedback on the best approach for adding this sort of > feature to HTTP messages. > > So, here are some other options: Using a Link header, or defining a new > HTTP Header. > > Is there an RFC that explains when to define a new link relation and > when to define a new header? It seems like doing a link relation would > be better for the Web (by reducing HTTP header proliferation)? > > That said, the Web Keys spec would like to introduce some form of > 'identity' to be associated with a digital signature for HTTP messages. > > We want to send a pretty strong signal that this can be used as a > simpler way to authorize HTTP requests in certain scenarios (instead of > falling back to OAuth, OAuth2, etc.). Placing this in a separate header > might send a better message to developers (this is a primary feature of > HTTP, use it) than doing it as a Link header (which is slightly more > difficult to parse and create for developers). > > We could also shove it into an HTTP Signatures parameter, but that would > prevent applications that want to use a different authentication > mechanism from having the ability to refer to an identity using a URL. > > So, I think the proposal would be to create a 'Sender' header (ignore > the name for now, it's just a placeholder so we can discuss the > semantics of the header). This header would allow any URI to be placed > into the header (so you could do everything you can today with 'From', > and then in addition, you could also use URLs). For example, these would > all be valid uses of 'Sender': > > Sender: mailto:msporny@digitalbazaar.com > Sender: https://dev.payswarm.com/i/manu > Sender: sip:msporny@digitalbazaar.com > Sender: ssh://msporny;fingerprint=f3:8f:2f:..@example.com:1234 > > Authentication of the sender would be up to the application. In the Web > Keys spec, we'd use the Authorization: Signature field to verify the > Sender. > > Thoughts? What would be the best way to proceed on this? Link header or > HTTP header? Publish an I-D, or try to tack it on to an existing spec? > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: Meritora - Web payments commercial launch > http://blog.meritora.com/launch/ > >
- Associating URI-based identities with HTTP reques… Manu Sporny
- Re: Associating URI-based identities with HTTP re… James M Snell
- Re: [http-auth] Associating URI-based identities … Manu Sporny
- Re: Associating URI-based identities with HTTP re… Manu Sporny