Re: HTTP Signatures draft published at IETF from Kingsley Idehen on 2013-05-07 (public-webpayments@w3.org from May 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 06 May 2013 21:24:54 -0400
To: public-webpayments@w3.org
Message-ID: <518857E6.9060100@openlinksw.com>

On 5/6/13 5:45 PM, Manu Sporny wrote:
> On 05/06/2013 09:24 AM, Kingsley Idehen wrote:
>>> https://payswarm.com/specs/ED/http-signatures/2013-05-04/
>>>
>> Have you considered using this effort to get IETF folks to
>> understand why the "From:" header needn't be maito: URI scheme
>> specific?
> You mean for Internet Message Format (RFC 5322)? Not really. It would be
> an interesting discussion to have, but I just don't have the time to
> pursue it.

No, just a tweak to HTTP re., acceptable values for the "From:" request 
header.

>> Right now, I could pull off what I describe by using a Linked Data
>> URI that denotes a public key for the keyid. Basically, the URI
>> would resolve to a public key that I use to verify the signed
>> payload.
> Yes, this is exactly why we are pushing HTTP Signatures forward at IETF.
> The Web Keys spec will use the 'keyId' field in HTTP Signatures to
> express a Linked Data URI. A receiver of the HTTP message will look up
> the key to verify the contents of the message, and then could look up
> the owner of the key to understand who sent the message.
>
> It's a pretty simple and powerful mechanism that could be extended to
> RFC 5322, or an HTTP-based messaging format which could be tied into our
> current e-mail infrastructure. Alternatively, a new/simpler messaging
> system could be built on top of the Web using HTTP Signatures to perform
> verified message delivery between hosts.

I am not too worried about messages due to S/MIME. I just want to see 
user agents with the ability to provide verifiable information (via HTTP 
request headers) about the identity of their users.

>
>> If we have the "From:" header extended to support URIs rather than
>> mailto: URIs only, one could then use a Linked URI that denotes an
>> Agent as mechanism for accessing a public key used to verify signed
>> payloads.
> Yep. Now for the simple matter of convincing the IETF that this is worth
> pursuing. :P
>
> -- manu
>
We have something here on many levels. "From:" just adds an intuitive 
feature for those that don't want to delve too deeply into entity 
relationship semantics and RDF.

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 7 May 2013 01:25:23 UTC