Re: Review Request for third draft of "Signing HTTP Messages"

On 05/08/2014 06:53 PM, Melvin Carvalho wrote:
> One thing, I'm slightly confused as to how algorithms should be
> specified.
> 
> For example: SHA256 Appears in the document and both lower case and
> upper case. It also appears both with a hyphen and without a hyphen. 
> I'm also currently using sha-256 as specified in RFC 6920

It depends on where you're using it.

If you use it in the Digest header, it's "SHA-256" per RFC 5843:
http://tools.ietf.org/html/rfc5843#section-1.1

If you use it in the algorithm parameter of the Signature header or Auth
scheme, or you're specifying a particular signature algorithm, you
should use the value out of the signature algorithm registry:

http://tools.ietf.org/id/draft-cavage-http-signatures-02.html#rfc.appendix.E.2

> I'd like to start using things like ECDSA signature as defined in
> crypto currencies, but I am finding it challenging to find an easy to
> spot pattern in the naming.
> 
> Any guidance would be appreciated.

I spent a lot of time looking at how this sort of stuff is specified and
I couldn't see a pattern. Most of the RFC authors just specify the
values in the documents themselves. I also searched the entire IANA
registry for generic signature or hashing algorithm registries and
didn't find anything. Some do exist, but they tend to be very specific
to particular technologies (like TLS). Perhaps someone more
knowledgeable in this area, like Julian, could shed some light on a
general registry for hashing or signing algorithms.

If there are none, the spec requests that IANA create one here:

http://tools.ietf.org/id/draft-cavage-http-signatures-02.html#rfc.appendix.E.2

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Thursday, 15 May 2014 20:30:18 UTC