Re: [apps-discuss] Web Keys and HTTP Signatures

Hi Manu,

--On April 18, 2013 at 5:27:11 PM -0400 Manu Sporny 
<msporny@digitalbazaar.com> wrote:

> My name is Manu Sporny. I'm the current Chair of the W3C RDFa WG, JSON
> for Linking Data (JSON-LD) CG, and Web Payments CG. I am also an editor
> of various W3C specs and member of the HTML WG and RDF WG.
>
> There is a relatively new spec at W3C called Web Keys[1] that now
> supports HTTP Signatures[2]. It is being worked on as a part of the Web
> Payments[3] work. Specifically, the PaySwarm[4] specifications use Web
> Keys and HTTP request signatures.
>
> We'd like to coordinate with the IETF on this work to make sure we have
> all parties interested in solving this problem involved in the work. We
> would also like more eyes doing security audits[5] on the protocol.

> [2]
> https://github.com/joyent/node-http-signature/blob/master/http_signing.md

That draft is very similar to the approach we have used in iSchedule 
(<https://datatracker.ietf.org/doc/draft-desruisseaux-ischedule/>) - which 
is an HTTP-based calendar and scheduling messaging protocol.

We choose to re-use existing email signing technology - DKIM 
(<http://tools.ietf.org/html/rfc6376>) - primarily because the security 
model and key management were a good fit for our application. There is also 
the benefit of code re-use, and working with a protocol that is already 
deployed and used heavily in the email environment. Also, DKIM was designed 
with the prospect of being applicable to protocols beyond email technology 
- and I think with iSchedule we have proven it can work with HTTP.

I would definitely urge you to take a serious look at DKIM. There are a 
number of interesting features there that don't seem to have been addressed 
in the draft you cited. In particular dealing with both header and body 
canonicalization (headers are particular problem in HTTP due to 
intermediaries, caches etc).

-- 
Cyrus Daboo

Received on Friday, 19 April 2013 15:34:17 UTC