Re: Web Keys and HTTP Signatures from David I. Lehn on 2013-04-18 (ietf-http-wg@w3.org from April to June 2013)

From: David I. Lehn <dil@lehn.org>
Date: Wed, 17 Apr 2013 20:22:40 -0400
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Message-ID: <CADcbRROBGawSJ+=XWnhNN8SAszZF-LX9x+cuTBbLxicXmz_qPg@mail.gmail.com>

On Wed, Apr 17, 2013 at 5:32 PM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> We've implemented Joyent's (node.js) HTTP Signature specification using
> the public key infrastructure defined by the PaySwarm Web Keys spec.
> We're pretty happy with the solution given that this is the third
> approach that we've tried to apply to the HTTP request signatures problem.
> ...
> We'll be releasing a few demos of how one can use this authorization
> scheme with Web Keys in the next couple of weeks. We expect to integrate
> these sorts of HTTP Signatures into the Web Keys specification.
>

This is a work in progress but is live on our sandbox server
https://dev.payswarm.com/.  I don't want to keep everyone in suspense,
so here's a quick developer view on how to try this right now. :-)

Grab the latest payswarm.js from git and "npm install" the
dependencies. If you had a previous checkout, make sure jsonld is
up-to-date and has the latest require module from git.
https://github.com/digitalbazaar/payswarm.js

Create an account on https://dev.payswarm.com/ if you don't already have one.

If you don't already have an access key, run the following and follow
the instructions to register one:
node ./examples/register-new-key.js

You should have a "payswarm.cfg" file that has your key info.

Now you can use a raw curl-like tool we just wrote to access resources
on the PaySwarm Authority:
./bin/payswarm url https://dev.payswarm.com/i/myid/accounts

If you want to see the signature it's sending, you can use the debug
mode and look for the "REQUEST httpSignature authorization" line.
NODE_DEBUG=request ./bin/payswarm url https://dev.payswarm.com/i/myid/accounts

The app is passing a list of headers we require along with the key id
and private key PEM from the config file down through to the recently
added HTTP signature support in the request module. The request gets
signed and shipped off and the server verifies it based on the public
key that was registered for that id. Then the request is then,
roughly, authorized the same as a session on the website.

This code just came online yesterday and really is a work in progress.
We're working to improve the tools and flow but you can use it now.
Please let us know how it works, if you have problems, or if you find
security issues. Thanks!

-dave

Received on Thursday, 18 April 2013 00:23:06 UTC