Lift nonces / trailers into separate spec

This is mostly directed at Mark Cavage, but thought it would be good to
keep the Web Payments and HTTP Auth groups apprised of the situation.

We had a quick 5 minute discussion on the #payswarm IRC channel about
the optional features of HTTP signatures last week. Dave Lehn really
didn't like that we were complicating the HTTP Signatures spec by
talking about nonces (for HTTP) and HTTP trailer signatures. Dave
Longley suggested that we move all optional features of HTTP Signatures
spec into a separate spec.

This would have two positive outcomes:

1. It would make it so that we can focus on the core spec and push
   that forward at IETF.
2. It would reduce the "aww, man - not nonces again!" complaints.

While we do have a pretty solid plan for nonces and trailers[1], we may
not want to burn the time on ironing out all of the gory details right
now since we don't have anyone demanding that HTTP Signatures work over
an unencrypted connection.

Ben Adida pointed me at this spec when I mentioned that we were working
on HTTP Signatures (he's a co-author of the Hawk protocol):

https://github.com/hueniverse/hawk

A couple of takeaways from that implementation:

* The way they do time synchronization is interesting.
* The way they do nonces is basically the same approach we take.
* Theirs is an HMAC solution, which we really, really,
  don't want to support.
* Bewit is interesting, but I don't think it has a place in HTTP
  Signatures.
* We want to integrate most of their security considerations section
  into the HTTP Signatures Security Considerations document.

-- manu

[1] https://payswarm.com/minutes/2013-06-19/

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

Received on Monday, 24 June 2013 04:38:15 UTC