Re: Web Keys and HTTP Signatures
"David I. Lehn" <dil@lehn.org> Thu, 18 April 2013 00:23 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 492D121E80CB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 17:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.977
X-Spam-Level:
X-Spam-Status: No, score=-9.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miziB2sDxz3l for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 17:23:58 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7D38921E8043 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 17:23:58 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UScd3-0002JZ-KV for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 00:23:09 +0000
Resent-Date: Thu, 18 Apr 2013 00:23:09 +0000
Resent-Message-Id: <E1UScd3-0002JZ-KV@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <dilehn@gmail.com>) id 1UScd0-0002It-OA; Thu, 18 Apr 2013 00:23:06 +0000
Received: from mail-vb0-f50.google.com ([209.85.212.50]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <dilehn@gmail.com>) id 1USccz-0001k3-VP; Thu, 18 Apr 2013 00:23:06 +0000
Received: by mail-vb0-f50.google.com with SMTP id w15so1767148vbb.9 for <multiple recipients>; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=SwzWQ9iiZHdVkk1g00Ic7NhjbnQPNgeP08vRuwErmYs=; b=YOLbJDmkCwLMtGd6YaXMzP52KH/yvEGy2/QF1GM5qRq5Hc5ljE5Sb0/haSdU9373Dd Y4UPM1M103YFKPEvCoe5XG9pWMPrOIK0I93KWxLOtS9YNhwdR9wk+GF1NtBU27rWjwUA I/8b24A4TlxiJB5YS5DH/gDifKc0uo+vN77VOp8q7qPmskbgKFWNe9/YdUN6Njw6u7vc /rLyj6q85OS3RBs1pZqOQ4n7zhjHP6QjR/EvHkeBDFJJ4OHP1IjqAvOwTlkJGwjgSLrS FLDo9sV+lHuU5HE2g90aW/8ieB4FbFvQhFN9bj+YHVGm43s39bkKEbDpFjAP9AaDopTA ZZfA==
MIME-Version: 1.0
X-Received: by 10.220.223.14 with SMTP id ii14mr6667507vcb.50.1366244560212; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
Sender: dilehn@gmail.com
Received: by 10.58.161.78 with HTTP; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
In-Reply-To: <516F14E1.5040503@digitalbazaar.com>
References: <516F14E1.5040503@digitalbazaar.com>
Date: Wed, 17 Apr 2013 20:22:40 -0400
X-Google-Sender-Auth: NsHgJKbGk2Uuy_mD3rYsFRAD-_k
Message-ID: <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com>
From: "David I. Lehn" <dil@lehn.org>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Content-Type: text/plain; charset="ISO-8859-1"
Received-SPF: pass client-ip=209.85.212.50; envelope-from=dilehn@gmail.com; helo=mail-vb0-f50.google.com
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-2.372, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1USccz-0001k3-VP 1690d78c374ced7dfb595e49364c1422
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17319
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Apr 17, 2013 at 5:32 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > We've implemented Joyent's (node.js) HTTP Signature specification using > the public key infrastructure defined by the PaySwarm Web Keys spec. > We're pretty happy with the solution given that this is the third > approach that we've tried to apply to the HTTP request signatures problem. > ... > We'll be releasing a few demos of how one can use this authorization > scheme with Web Keys in the next couple of weeks. We expect to integrate > these sorts of HTTP Signatures into the Web Keys specification. > This is a work in progress but is live on our sandbox server https://dev.payswarm.com/. I don't want to keep everyone in suspense, so here's a quick developer view on how to try this right now. :-) Grab the latest payswarm.js from git and "npm install" the dependencies. If you had a previous checkout, make sure jsonld is up-to-date and has the latest require module from git. https://github.com/digitalbazaar/payswarm.js Create an account on https://dev.payswarm.com/ if you don't already have one. If you don't already have an access key, run the following and follow the instructions to register one: node ./examples/register-new-key.js You should have a "payswarm.cfg" file that has your key info. Now you can use a raw curl-like tool we just wrote to access resources on the PaySwarm Authority: ./bin/payswarm url https://dev.payswarm.com/i/myid/accounts If you want to see the signature it's sending, you can use the debug mode and look for the "REQUEST httpSignature authorization" line. NODE_DEBUG=request ./bin/payswarm url https://dev.payswarm.com/i/myid/accounts The app is passing a list of headers we require along with the key id and private key PEM from the config file down through to the recently added HTTP signature support in the request module. The request gets signed and shipped off and the server verifies it based on the public key that was registered for that id. Then the request is then, roughly, authorized the same as a session on the website. This code just came online yesterday and really is a work in progress. We're working to improve the tools and flow but you can use it now. Please let us know how it works, if you have problems, or if you find security issues. Thanks! -dave
- Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures David I. Lehn
- RE: Web Keys and HTTP Signatures Manger, James H
- Re: Web Keys and HTTP Signatures Martin Thomson
- Re: Web Keys and HTTP Signatures David I. Lehn
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Amos Jeffries
- Re: Web Keys and HTTP Signatures Daniel Friesen
- Re: Web Keys and HTTP Signatures Stephen Farrell
- Re: Web Keys and HTTP Signatures David Morris
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Ken Murchison
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Nico Williams
- Re: Web Keys and HTTP Signatures Nico Williams