Re: Web Keys and HTTP Signatures

Carsten Bormann <cabo@tzi.org> Thu, 18 April 2013 16:41 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DC621F9050 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 09:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.936
X-Spam-Level:
X-Spam-Status: No, score=-8.936 tagged_above=-999 required=5 tests=[AWL=1.663, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgK3iLaOMbva for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 09:41:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id C6B2021F85ED for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 09:41:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USrsb-0004fs-BP for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 16:40:13 +0000
Resent-Date: Thu, 18 Apr 2013 16:40:13 +0000
Resent-Message-Id: <E1USrsb-0004fs-BP@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1USrsV-0004eF-0Q; Thu, 18 Apr 2013 16:40:07 +0000
Received: from mailhost.informatik.uni-bremen.de ([134.102.201.18] helo=informatik.uni-bremen.de) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1USrsU-0002vB-3m; Thu, 18 Apr 2013 16:40:06 +0000
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.4/8.14.4) with ESMTP id r3IGddUI025018; Thu, 18 Apr 2013 18:39:39 +0200 (CEST)
Received: from [192.168.217.105] (p548938F1.dip.t-dialin.net [84.137.56.241]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id A196431AC; Thu, 18 Apr 2013 18:39:38 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Content-Type: text/plain; charset=iso-8859-1
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <51701D20.8020901@digitalbazaar.com>
Date: Thu, 18 Apr 2013 18:39:37 +0200
Cc: Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <34CDD6D5-32B6-477D-9F0E-7D6940DE02D9@tzi.org>
References: <516F14E1.5040503@digitalbazaar.com> <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com> <599A4C36-D3AC-46D5-8DA9-12D1EB9A6B9F@tzi.org> <51701D20.8020901@digitalbazaar.com>
To: Manu Sporny <msporny@digitalbazaar.com>
X-Mailer: Apple Mail (2.1503)
Received-SPF: none client-ip=134.102.201.18; envelope-from=cabo@tzi.org; helo=informatik.uni-bremen.de
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-1.739, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1USrsU-0002vB-3m 6f2af1c0466e5f2e2a17b3286f34b0bf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/34CDD6D5-32B6-477D-9F0E-7D6940DE02D9@tzi.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17339
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> You also seem to be implying that you know of which security properties
> are not being established by http-signatures. Could you please elaborate?

No, I just reported that I got stuck trying to find out the security properties.

I was also unclear about the security objectives.  This is starting to become a bit clearer with the discussion now, but that doesn't replace a good exposition of what you are trying to achieve/what you think you have achieved.  So, for instance, I'd like to understand your stance on replay a bit better.  RFC 3552 and RFC 4101 may be good reading for the kind of question that tends to come up, and RFC 4949 will give you some terminology to minimize ambiguity.

Thanks a lot for the appraisal of the httpauth candidates -- this will be really useful input for the work of that WG.

Grüße, Carsten