W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

HTTP Signature authentication between browser and non same origin server successful

From: <henry.story@bblfish.net>
Date: Tue, 17 Nov 2015 22:18:51 +0000
Message-Id: <886305BF-8BDC-4355-AFB1-9D0D3B382C25@bblfish.net>
Cc: public-webid <public-webid@w3.org>
To: W3C Credentials Community Group <public-credentials@w3.org>
Hi folks,

I have now implemented client and server parts of the HTTP Signature protocol [1] in Scala and Scala-JS respectively and have gotten it to work. I have verified that I can display pages served from localhost that then use the HTTP Fetch API to fetch a page from https://joe.example:8443/, intercept a returned 401, and make a new request that succeeds. Currently that requests still fails because the the server does not yet know how to give rights to a WebKey identified user, which is on my list todo next. This works in Chrome Canary and Firefox developer edition. I have not had time to test it more widely, but it should work at least on 1 year old browsers.

The current server code and detailed discussion is here:

What would be needed to publish the key, would be either for the client to know 
of a place to publish one, or for the server to propose one itself.

A number of options are available for publishing a key:
 1) publishing a public key to some decentralised storage system
 2) publishing it to a LDPC ( from the Linked Data Platform )

2) is the easiest for me to implement as I already have an LDP Server.
1) would also be an interesting option, though it feels like more work

Those two options are not exclusive.

For those who would like the server to propose a place to POST the key one would
only need the 401 to return a Link Header from RFC 5988

Link: </keys/>; rel="public-key-container"; title="Publish your public key here"


[1] https://tools.ietf.org/html/draft-cavage-http-signatures-05
[2] https://tools.ietf.org/html/rfc5988
Received on Tuesday, 17 November 2015 22:19:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:49 UTC