W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Web Keys and HTTP Signatures

From: Carsten Bormann <cabo@tzi.org>
Date: Thu, 18 Apr 2013 18:39:37 +0200
Cc: Web Payments CG <public-webpayments@w3.org>, ietf-http-wg@w3.org
Message-Id: <34CDD6D5-32B6-477D-9F0E-7D6940DE02D9@tzi.org>
To: Manu Sporny <msporny@digitalbazaar.com>
> You also seem to be implying that you know of which security properties
> are not being established by http-signatures. Could you please elaborate?

No, I just reported that I got stuck trying to find out the security properties.

I was also unclear about the security objectives.  This is starting to become a bit clearer with the discussion now, but that doesn't replace a good exposition of what you are trying to achieve/what you think you have achieved.  So, for instance, I'd like to understand your stance on replay a bit better.  RFC 3552 and RFC 4101 may be good reading for the kind of question that tends to come up, and RFC 4949 will give you some terminology to minimize ambiguity.

Thanks a lot for the appraisal of the httpauth candidates -- this will be really useful input for the work of that WG.

Gre, Carsten
Received on Thursday, 18 April 2013 16:40:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC