- From: <henry.story@bblfish.net>
- Date: Mon, 9 Nov 2015 18:32:31 +0000
- To: W3C Credentials Community Group <public-credentials@w3.org>
- Cc: public-webid <public-webid@w3.org>, Andrei Sambra <asambra@mit.edu>
> On 8 Nov 2015, at 11:17, henry.story@bblfish.net wrote: > > I have opened an issue on the whatwg Fetch issues list to see if > they can add a function to allow one to access the headers before > they get sent, so that one could actually sign as many of the > headers possible. > > https://github.com/whatwg/fetch/issues/156 On irc annevk wrote (unofficially I suppose): > yeah I looked at that and that doesn't seem like something we'll address anytime soon > the headers to be transmitted are in the network stack which is mostly post-Fetch > although it's all a bit gobbled up admittedly since the standards are a bit post-implementation That's not that surprising. So as we can't get the Date or things that may play the role of a nonce, what do we do? WebID-RSA ( https://github.com/solid/solid-spec#webid-rsa ) has the server send a nonce. Though I am not sure how the server would remember which nonce was sent. Also the lack of a date seems to make it open to replay attacks. ( which is why having access to the date in the Signature is quite important. ) With HTTP Signatures we can get something like the WebID by passing a User header with the WebID. But we'd need to find a way to add an extra date header, which I suppose should never be more than a few seconds out of sync with the real date header. Any ideas? annevk also wrote ( first impression - but its always interesting to collect those ) > That draft seems to sorta skip over justification for why it's a good idea to begin with Anyway, he's thinking about it. But even if they do advance we'd need something we can use now. Henry
Received on Monday, 9 November 2015 18:33:02 UTC