- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 18 Apr 2013 13:23:56 -0400
- To: Carsten Bormann <cabo@tzi.org>
- CC: Martin Thomson <martin.thomson@gmail.com>, Web Payments CG <public-webpayments@w3.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 04/18/2013 04:11 AM, Carsten Bormann wrote: >> It seems like a simple fix would be to include the list of headers >> under the signature as the first item. > > Obviously. > > The reason I didn't give this fix is that this just amounts to > handing out more rope. > > It seems to me the community may not have the resources to come up > with a secure spec on their own. I'd rather motivate them to spend > some quality time with security experts than just throw "fixes" for > the immediately obvious problems over the wall, somehow hoping nobody > will find the deeper ones. Carsten, this particular response is not helpful because: 1. You seem to be claiming to have knowledge about the proposed fix that makes it seem like the solution is a dead-end, yet you don't elaborate upon the claim. 2. You seem to be insinuating that there are deeper problems with the HTTP Signatures approach without expanding upon what those may be. 3. You make an appeal to authority (re: the "security experts" will be able to help.) without knowing who wrote the specifications, who is reading this thread and commenting elsewhere, nor who has already reviewed the specifications. The reason we sent the initial message out was because we wanted feedback from various communities, including the "security experts" whoever those people may be. Responses like the one you make above don't actually help us identify issues in the protocol or approach that are being taken. I know that you probably did not mean to come across as condescending or patronizing, but you have. I'd like us to focus on technical issues and helping each other rather than the sort of exchange above. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Thursday, 18 April 2013 17:24:22 UTC