Re: draft-ietf-httpbis-message signature demo

> On 14. Jun 2023, at 20:52, Justin Richer <jricher@mit.edu> wrote:
> 
> Henry, this is great, thank you for sharing!
> 
> I especially find it interesting how you’ve threaded in the WWW-Authenticate and Authorization header to fit into the Solid authorization framework. We deliberately left off the Authorization header usage in the base spec, but I think the way you’ve managed it is interesting and should work fairly well.

:-)

> Just a couple notes and questions from what I can understand of the implementation here:
> 
> - Was there a reason not to use the “Accept-Signature” header alongside the WWW-Authenticate header? This would allow the pod to specify some of the signature parameters that it expects in the next request.

No reason other than that needed to get a milestone in, and wasso  happy that the whole thing was working that I forgot  about these needed features. 

I added an issue on this here:
https://github.com/solid/specification/issues/534

> - The demonstration signed an empty component set. This is specifically called out as not recommended by the signature spec, as the signature is not tied to the request at all. Can you help me understand the rationale for using an unbound signature here?

Yep, I was starting to work on updating the spec today, and just before you sent this message
I realised that I had forgotten to specify the needed headers. So I opened a discussion on it here:
https://github.com/solid/authentication-panel/discussions/236


> - Following the previous point, I’d recommend at least signing the @path or @target-uri of the resource request (especially since Solid nodes are all URI-based).

yes.

> - I’d recommend using the “nonce” and “tag” parameters in the signature as well.

Ah very good. Thanks for reminding me about those…

I will work on making these improvements, adding them to the spec PR 

https://github.com/solid/authentication-panel/pull/235

and see if I can then make an improved demo too...

> 
> Overall, it’s great to see this in the wild!

Yes. I think it is easier to understand when showing a running system.

Henry

> 
> Thanks again for sharing,
>  — Justin
> 
>> On Jun 14, 2023, at 4:03 AM, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> Dear HttpBis community,
>> 
>>   I recorded a demonstration of using HTTP Message Signatures with 
>> Tim Berners-Lee’s Solid Authentication Rules by showing a web Spider, 
>> crawling some Linked Data Event Streams, which I presented at the Solid CG [1].
>> 
>> The video is up on Twitter here. (It seems to be too large for YouTube to process)
>> 
>> https://twitter.com/bblfish/status/1666547828506742788
>> 
>> This demo is up to date with the January version of the spec I think. I will try
>> to update the libraries being used for this as soon as I can afford to. 
>> 
>> Links to the code and other are in the meeting minutes below [1].
>> 
>> Btw. the libraries are written in Scala and are designed to compile to JS and Java.
>> Node JS may require a little more work. Native is also possible with scala-native.
>> 
>> Henry Story
>> 
>> [1] https://github.com/solid/specification/blob/main/meetings/2023-06-07.md#httpsig-auth-demo
>> 
> 

Received on Wednesday, 14 June 2023 19:55:00 UTC