W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: setting headers in JS for HTTP Signature

From: <henry.story@bblfish.net>
Date: Mon, 9 Nov 2015 18:32:31 +0000
Cc: public-webid <public-webid@w3.org>, Andrei Sambra <asambra@mit.edu>
Message-Id: <27AC9453-F096-4A46-874D-6697D9B4B70F@bblfish.net>
To: W3C Credentials Community Group <public-credentials@w3.org>

> On 8 Nov 2015, at 11:17, henry.story@bblfish.net wrote:
> I have opened an issue on the whatwg Fetch issues list to see if 
> they can add a function to allow one to access the headers before
> they get sent, so that one could actually sign as many of the 
> headers possible.
> https://github.com/whatwg/fetch/issues/156

On irc annevk wrote (unofficially I suppose):

> yeah I looked at that and that doesn't seem like something we'll address anytime soon
> the headers to be transmitted are in the network stack which is mostly post-Fetch
> although it's all a bit gobbled up admittedly since the standards are a bit post-implementation

That's not that surprising. 

So as we can't get the Date or things that may play the role of a nonce, what do we do?

WebID-RSA ( https://github.com/solid/solid-spec#webid-rsa ) has the server send a nonce. Though I am not sure how the server would remember which nonce was sent. Also the
lack of a date seems to make it open to replay attacks. ( which is why having access to the date in the Signature is quite important. )

With HTTP Signatures we can get something like the WebID by passing a User header with the WebID. But we'd need to find a way to add an extra date header, which I suppose should never be 
more than a few seconds out of sync with the real date header.

Any ideas?

annevk also wrote ( first impression - but its always interesting to collect those )
> That draft seems to sorta skip over justification for why it's a good idea to begin with

Anyway, he's thinking about it. But even if they do advance we'd need something we can use now.

Received on Monday, 9 November 2015 18:33:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC