Re: HTTP Signatures specification updated

On 02/10/2014 11:46 PM, Anders Rundgren wrote:
> The difference as I see it is that a DateTime says "when" while a
> MessageID uniquely identifies the actual message from the sender's
> perspective like for example a PO number.
> 
> Nanosecond time-stamps are (de-facto) non-standard which is another 
> possible objection to the current scheme.

True, but no one said that the timestamp has to be accurate. It just has
to count up. Machines that don't have a stable sub-second counter can
still create a counter and count up (which is the "MessageID" approach
you talk about). That is, both can be used in the same mechanism.

Message 1: 2014-03-02T20:59:40,000000001-0000
Message 1: 2014-03-02T21:00:30,000000002-0000

... and so on. Note the MessageID is just a counter that counts up,
injected into the nanosecond field of the ISO-8601 datetime.

I'm playing devil's advocate. The cleaner design would clearly be to
have a separate "nonce" field that counts up. The question is, do we
really need that? I'm claiming that we don't and the above is simpler to
implement than the latter nonce-based approach.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Monday, 3 March 2014 02:02:50 UTC