Re: draft-ietf-httpbis-message signature demo from Justin Richer on 2023-06-14 (ietf-http-wg@w3.org from April to June 2023)

From: Justin Richer <jricher@mit.edu>
Date: Wed, 14 Jun 2023 18:52:20 +0000
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <8EEB5252-EE21-4A56-A3BA-33BE06D9D339@mit.edu>

Henry, this is great, thank you for sharing!

I especially find it interesting how you’ve threaded in the WWW-Authenticate and Authorization header to fit into the Solid authorization framework. We deliberately left off the Authorization header usage in the base spec, but I think the way you’ve managed it is interesting and should work fairly well.

Just a couple notes and questions from what I can understand of the implementation here:

- Was there a reason not to use the “Accept-Signature” header alongside the WWW-Authenticate header? This would allow the pod to specify some of the signature parameters that it expects in the next request.
- The demonstration signed an empty component set. This is specifically called out as not recommended by the signature spec, as the signature is not tied to the request at all. Can you help me understand the rationale for using an unbound signature here?
- Following the previous point, I’d recommend at least signing the @path or @target-uri of the resource request (especially since Solid nodes are all URI-based).
- I’d recommend using the “nonce” and “tag” parameters in the signature as well.

Overall, it’s great to see this in the wild!

Thanks again for sharing,
— Justin

On Jun 14, 2023, at 4:03 AM, Henry Story <henry.story@bblfish.net> wrote:

Dear HttpBis community,

I recorded a demonstration of using HTTP Message Signatures with
Tim Berners-Lee’s Solid Authentication Rules by showing a web Spider,
crawling some Linked Data Event Streams, which I presented at the Solid CG [1].

The video is up on Twitter here. (It seems to be too large for YouTube to process)

<https://twitter.com/bblfish/status/1666547828506742788>
<M3fN2SQUcBQyhX6e.jpg>
Today I presented the @ietf's upcoming HTTPSig protocol (@http_wg) at the @w3c Solid Community Group meeting. I illustrated it by running my #scala crawler on #BigData published as #LinkedData #EventStreams protected with #solidProject access control rules. This is about as…
[https://abs.twimg.com/favicons/twitter.2.ico]<https://twitter.com/bblfish/status/1666547828506742788>
The 🐠 BblFish<https://twitter.com/bblfish/status/1666547828506742788>
twitter.com<https://twitter.com/bblfish/status/1666547828506742788>

This demo is up to date with the January version of the spec I think. I will try
to update the libraries being used for this as soon as I can afford to.

Links to the code and other are in the meeting minutes below [1].

Btw. the libraries are written in Scala and are designed to compile to JS and Java.
Node JS may require a little more work. Native is also possible with scala-native.

Henry Story

[1] https://github.com/solid/specification/blob/main/meetings/2023-06-07.md#httpsig-auth-demo

Received on Wednesday, 14 June 2023 18:53:47 UTC