Re: Web Keys and HTTP Signatures

"David I. Lehn" <> Thu, 18 April 2013 00:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 492D121E80CB for <>; Wed, 17 Apr 2013 17:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.977
X-Spam-Status: No, score=-9.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id miziB2sDxz3l for <>; Wed, 17 Apr 2013 17:23:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7D38921E8043 for <>; Wed, 17 Apr 2013 17:23:58 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UScd3-0002JZ-KV for; Thu, 18 Apr 2013 00:23:09 +0000
Resent-Date: Thu, 18 Apr 2013 00:23:09 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UScd0-0002It-OA; Thu, 18 Apr 2013 00:23:06 +0000
Received: from ([]) by with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <>) id 1USccz-0001k3-VP; Thu, 18 Apr 2013 00:23:06 +0000
Received: by with SMTP id w15so1767148vbb.9 for <multiple recipients>; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=SwzWQ9iiZHdVkk1g00Ic7NhjbnQPNgeP08vRuwErmYs=; b=YOLbJDmkCwLMtGd6YaXMzP52KH/yvEGy2/QF1GM5qRq5Hc5ljE5Sb0/haSdU9373Dd Y4UPM1M103YFKPEvCoe5XG9pWMPrOIK0I93KWxLOtS9YNhwdR9wk+GF1NtBU27rWjwUA I/8b24A4TlxiJB5YS5DH/gDifKc0uo+vN77VOp8q7qPmskbgKFWNe9/YdUN6Njw6u7vc /rLyj6q85OS3RBs1pZqOQ4n7zhjHP6QjR/EvHkeBDFJJ4OHP1IjqAvOwTlkJGwjgSLrS FLDo9sV+lHuU5HE2g90aW/8ieB4FbFvQhFN9bj+YHVGm43s39bkKEbDpFjAP9AaDopTA ZZfA==
MIME-Version: 1.0
X-Received: by with SMTP id ii14mr6667507vcb.50.1366244560212; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
Received: by with HTTP; Wed, 17 Apr 2013 17:22:40 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Wed, 17 Apr 2013 20:22:40 -0400
X-Google-Sender-Auth: NsHgJKbGk2Uuy_mD3rYsFRAD-_k
Message-ID: <>
From: "David I. Lehn" <>
To: Manu Sporny <>
Cc: Web Payments CG <>,
Content-Type: text/plain; charset=ISO-8859-1
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-2.372, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1USccz-0001k3-VP 1690d78c374ced7dfb595e49364c1422
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <>
X-Mailing-List: <> archive/latest/17319
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Wed, Apr 17, 2013 at 5:32 PM, Manu Sporny <> wrote:
> We've implemented Joyent's (node.js) HTTP Signature specification using
> the public key infrastructure defined by the PaySwarm Web Keys spec.
> We're pretty happy with the solution given that this is the third
> approach that we've tried to apply to the HTTP request signatures problem.
> ...
> We'll be releasing a few demos of how one can use this authorization
> scheme with Web Keys in the next couple of weeks. We expect to integrate
> these sorts of HTTP Signatures into the Web Keys specification.

This is a work in progress but is live on our sandbox server  I don't want to keep everyone in suspense,
so here's a quick developer view on how to try this right now. :-)

Grab the latest payswarm.js from git and "npm install" the
dependencies. If you had a previous checkout, make sure jsonld is
up-to-date and has the latest require module from git.

Create an account on if you don't already have one.

If you don't already have an access key, run the following and follow
the instructions to register one:
node ./examples/register-new-key.js

You should have a "payswarm.cfg" file that has your key info.

Now you can use a raw curl-like tool we just wrote to access resources
on the PaySwarm Authority:
./bin/payswarm url

If you want to see the signature it's sending, you can use the debug
mode and look for the "REQUEST httpSignature authorization" line.
NODE_DEBUG=request ./bin/payswarm url

The app is passing a list of headers we require along with the key id
and private key PEM from the config file down through to the recently
added HTTP signature support in the request module. The request gets
signed and shipped off and the server verifies it based on the public
key that was registered for that id. Then the request is then,
roughly, authorized the same as a session on the website.

This code just came online yesterday and really is a work in progress.
We're working to improve the tools and flow but you can use it now.
Please let us know how it works, if you have problems, or if you find
security issues. Thanks!