W3C home > Mailing lists > Public > public-credentials@w3.org > March 2021

Re: HTTP-Signatures - was: Roadmap: Verifiable Trust Standards

From: Henry Story <henry.story@gmail.com>
Date: Mon, 8 Mar 2021 18:00:24 +0100
Message-Id: <46DF634A-0533-4B12-B048-0C69123A177A@gmail.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
To: Manu Sporny <msporny@digitalbazaar.com>

> On 8 Mar 2021, at 17:08, Manu Sporny <msporny@digitalbazaar.com> wrote:
> On 3/8/21 10:45 AM, Henry Story wrote:
>> I noticed in your slides a row for HTTP Signatures. Where is the work on
>> the authentication part of draft-cavage-* now going on?
> Hi Henry, good to hear from you! :)
> The work has been adopted by the IETF HTTP WG as an extension specification to
> HTTP and is now on the IETF standards track:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/
> Latest is here:
> https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-01
> Issue tracker is here:
> https://github.com/httpwg/http-extensions/issues?q=is%3Aissue+is%3Aopen+label%3Asignatures

Yes, those are the specs for signing messages on which I am building :-)

>> So for example I just noticed that the old spec had Signature
>> Authentication method in the header but I used ”HttpSig”. Where can I go to
>> work out what the right thing to do is?
> The links above should get you engaged with the right WG. I will note that
> there have been breaking changes since entering the HTTP WG, so don't assume
> that it works like it had for the past 8+ years. They're trying hard to align
> it with current best practices for HTTP (e.g., using structured header syntax).
> HTTP Signatures are used heavily for Authorization Capabilities (zcaps) and in
> the Encrypted Data Vault work. So yes, lots of overlap w/ Solid and Solid-like
> projects.

You mean this document?

I could not find any reference there to Signing Http Messages, or to
draft-cavage-* . So perhaps an associated doc?

Indeed I want to integrate zcap-ld authorization capabilities with Solid too.
I started thinking about that in an issue recently "Authorization Capabilities for Linked Data"


I need to work on it some more but I think on first consideration using Martin
Abadi’s logic of Saying-That, the difference between capability systems and ACLs
are not as far apart as people have been making them to be.

For example I think one can extend the plain ACL ontology with a :controls relation
and a form of N3 type contextual reasoning to get the desired effect

This also ties in with `Authorization: HttpSig` extension to
Signing HTTP messages. And that is where I was wondering: should we
use `Authorization: Signature` instead as in the old specs?

I am collecting a few questions along those lines here:


I don’t think the IETF is going to be the place to work on that since
they left out that part.


> -- manu
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches

Received on Monday, 8 March 2021 17:00:41 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:11 UTC