Re: Web Keys and HTTP Signatures

Manu Sporny <msporny@digitalbazaar.com> Thu, 18 April 2013 17:55 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEEBB21F86E8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id un7xIms1sX6y for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 10:55:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BC48021F86D3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 10:55:42 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USt2f-0001WQ-5X for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 17:54:41 +0000
Resent-Date: Thu, 18 Apr 2013 17:54:41 +0000
Resent-Message-Id: <E1USt2f-0001WQ-5X@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USt2c-0001V8-3Q; Thu, 18 Apr 2013 17:54:38 +0000
Received: from [216.252.204.51] (helo=mail.digitalbazaar.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USt2b-0007R1-3m; Thu, 18 Apr 2013 17:54:38 +0000
Received: from zoe.digitalbazaar.com ([192.168.0.99] ident=msporny) by mail.digitalbazaar.com with esmtp (Exim 4.72) (envelope-from <msporny@digitalbazaar.com>) id 1USt24-0005y7-Uf; Thu, 18 Apr 2013 13:54:04 -0400
Message-ID: <5170333C.80506@digitalbazaar.com>
Date: Thu, 18 Apr 2013 13:54:04 -0400
From: Manu Sporny <msporny@digitalbazaar.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20120624 Icedove/10.0.5
MIME-Version: 1.0
To: Daniel Friesen <daniel@nadir-seen-fire.com>
CC: Martin Thomson <martin.thomson@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, Carsten Bormann <cabo@tzi.org>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <516F14E1.5040503@digitalbazaar.com> <9DF0F237-62DC-4E82-A545-B09C6083849B@tzi.org> <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C90E93E@WSMSG3153V.srv.dir.telstra.com> <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com> <516FF833.1000401@digitalbazaar.com> <516FFCCC.6060306@nadir-seen-fire.com>
In-Reply-To: <516FFCCC.6060306@nadir-seen-fire.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=216.252.204.51; envelope-from=msporny@digitalbazaar.com; helo=mail.digitalbazaar.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: AWL=-4.065, RDNS_NONE=1.274
X-W3C-Scan-Sig: lisa.w3.org 1USt2b-0007R1-3m 39271fb715e6a3f743cc6f946d6a5af4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/5170333C.80506@digitalbazaar.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17343
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Daniel Friesen wrote:
> You might want to think twice before you consider https implemented in
> anything other than a web browser absolutely secure:
> http://hueniverse.com/2010/09/oauth-bearer-tokens-are-a-terrible-idea/

Yeah, good piece by Eran, seen it.

In the most basic form of Web Payments, we require HTTPS and HTTP
Signatures. For operations that are very sensitive, we require HTTPS,
HTTP Signatures, and digitally signed JSON.

Amos Jeffries wrote:
> Your auth scheme needs to be as self-contained as possible and take 
> advantage of every little bit of security that it can do without relying 
> on external layers such as the SSL/TLS layer. It is better to be 
> doubly-strong when HTTPS works than to depend on it alone break at the 
> first sign of trouble.

See above. We have multiple layers where it's important so hopefully if
one layer fails, the other two will make up for it to prevent a compromise.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/