- From: Henry Story <henry.story@gmail.com>
- Date: Mon, 8 Mar 2021 18:00:24 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-Id: <46DF634A-0533-4B12-B048-0C69123A177A@gmail.com>
> On 8 Mar 2021, at 17:08, Manu Sporny <msporny@digitalbazaar.com> wrote: > > On 3/8/21 10:45 AM, Henry Story wrote: >> I noticed in your slides a row for HTTP Signatures. Where is the work on >> the authentication part of draft-cavage-* now going on? > > Hi Henry, good to hear from you! :) > > The work has been adopted by the IETF HTTP WG as an extension specification to > HTTP and is now on the IETF standards track: > > https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/ > > Latest is here: > > https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-01 > > Issue tracker is here: > > https://github.com/httpwg/http-extensions/issues?q=is%3Aissue+is%3Aopen+label%3Asignatures Yes, those are the specs for signing messages on which I am building :-) > >> So for example I just noticed that the old spec had Signature >> Authentication method in the header but I used ”HttpSig”. Where can I go to >> work out what the right thing to do is? > > The links above should get you engaged with the right WG. I will note that > there have been breaking changes since entering the HTTP WG, so don't assume > that it works like it had for the past 8+ years. They're trying hard to align > it with current best practices for HTTP (e.g., using structured header syntax). > > HTTP Signatures are used heavily for Authorization Capabilities (zcaps) and in > the Encrypted Data Vault work. So yes, lots of overlap w/ Solid and Solid-like > projects. You mean this document? https://w3c-ccg.github.io/zcap-ld/ I could not find any reference there to Signing Http Messages, or to draft-cavage-* . So perhaps an associated doc? Indeed I want to integrate zcap-ld authorization capabilities with Solid too. I started thinking about that in an issue recently "Authorization Capabilities for Linked Data" https://github.com/solid/authorization-panel/issues/160#issuecomment-764722858 I need to work on it some more but I think on first consideration using Martin Abadi’s logic of Saying-That, the difference between capability systems and ACLs are not as far apart as people have been making them to be. For example I think one can extend the plain ACL ontology with a :controls relation and a form of N3 type contextual reasoning to get the desired effect https://github.com/solid/authorization-panel/issues/160#issuecomment-765961645 This also ties in with `Authorization: HttpSig` extension to Signing HTTP messages. And that is where I was wondering: should we use `Authorization: Signature` instead as in the old specs? I am collecting a few questions along those lines here: https://github.com/solid/authentication-panel/labels/HttpSig I don’t think the IETF is going to be the place to work on that since they left out that part. Henry > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > blog: Veres One Decentralized Identifier Blockchain Launches > https://tinyurl.com/veres-one-launches > >
Received on Monday, 8 March 2021 17:00:41 UTC