W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 18 Apr 2013 13:54:04 -0400
Message-ID: <5170333C.80506@digitalbazaar.com>
To: Daniel Friesen <daniel@nadir-seen-fire.com>
CC: Martin Thomson <martin.thomson@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, Carsten Bormann <cabo@tzi.org>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Daniel Friesen wrote:
> You might want to think twice before you consider https implemented in
> anything other than a web browser absolutely secure:
> http://hueniverse.com/2010/09/oauth-bearer-tokens-are-a-terrible-idea/

Yeah, good piece by Eran, seen it.

In the most basic form of Web Payments, we require HTTPS and HTTP
Signatures. For operations that are very sensitive, we require HTTPS,
HTTP Signatures, and digitally signed JSON.

Amos Jeffries wrote:
> Your auth scheme needs to be as self-contained as possible and take 
> advantage of every little bit of security that it can do without relying 
> on external layers such as the SSL/TLS layer. It is better to be 
> doubly-strong when HTTPS works than to depend on it alone break at the 
> first sign of trouble.

See above. We have multiple layers where it's important so hopefully if
one layer fails, the other two will make up for it to prevent a compromise.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Thursday, 18 April 2013 17:54:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:12 UTC