Re: Web Keys and HTTP Signatures

Carsten Bormann <cabo@tzi.org> Thu, 18 April 2013 08:15 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176C821F8F0D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 01:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.424
X-Spam-Level:
X-Spam-Status: No, score=-8.424 tagged_above=-999 required=5 tests=[AWL=2.175, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8i2SwuZaGWR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 01:15:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0668921F8F0E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 01:15:07 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USjwi-0002Gk-Lx for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 08:11:56 +0000
Resent-Date: Thu, 18 Apr 2013 08:11:56 +0000
Resent-Message-Id: <E1USjwi-0002Gk-Lx@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1USjwf-0002G1-T4; Thu, 18 Apr 2013 08:11:53 +0000
Received: from mailhost.informatik.uni-bremen.de ([134.102.201.18] helo=informatik.uni-bremen.de) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <cabo@tzi.org>) id 1USjwe-0003iT-Ea; Thu, 18 Apr 2013 08:11:53 +0000
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.4/8.14.4) with ESMTP id r3I8BJ6s010011; Thu, 18 Apr 2013 10:11:19 +0200 (CEST)
Received: from eduroam-pool3-111.wlan.uni-bremen.de (eduroam-pool3-111.wlan.uni-bremen.de [134.102.232.111]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id 4105E3D11; Thu, 18 Apr 2013 10:11:19 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Content-Type: text/plain; charset="iso-8859-1"
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com>
Date: Thu, 18 Apr 2013 10:11:18 +0200
Cc: "David I. Lehn" <dil@lehn.org>, Manu Sporny <msporny@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
References: <516F14E1.5040503@digitalbazaar.com> <9DF0F237-62DC-4E82-A545-B09C6083849B@tzi.org> <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C90E93E@WSMSG3153V.srv.dir.telstra.com> <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1503)
Received-SPF: none client-ip=134.102.201.18; envelope-from=cabo@tzi.org; helo=informatik.uni-bremen.de
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-2.300, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1USjwe-0003iT-Ea 3c255a38fb7ec3d312fbc735a7665345
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/60BA815F-52F5-449C-BD18-AE746DAFA991@tzi.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17329
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Apr 18, 2013, at 02:00, Martin Thomson <martin.thomson@gmail.com> wrote:

> It seems like a simple fix would be to
> include the list of headers under the signature as the first item.

Obviously.

The reason I didn't give this fix is that this just amounts to handing out more rope.

It seems to me the community may not have the resources to come up with a secure spec on their own.
I'd rather motivate them to spend some quality time with security experts than just throw "fixes"  for the immediately obvious problems over the wall, somehow hoping nobody will find the deeper ones.

Grüße, Carsten