W3C home > Mailing lists > Public > public-webid@w3.org > June 2017

HTTPSignature verification fails was: Verifying WebID fails

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 28 Jun 2017 07:21:52 +0200
Message-Id: <9E1BBAB8-F303-4548-AE25-0C143C1BB816@bblfish.net>
Cc: public-webid <public-webid@w3.org>
To: Martynas Jusevičius <martynas@atomgraph.com>

> On 28 Jun 2017, at 00:33, Martynas Jusevičius <martynas@atomgraph.com <mailto:martynas@atomgraph.com>> wrote:
> 
> Hi,
> 
> I think there is another case where failure scenario is not defined in protocol: verifying the WebID.
> 
> What happens if the certificate key does not match the WebID key? None of the verification steps or sections seem to consider that. I suggest again that a 400 Bad Request should be returned.
> 
> I think it is important for the protocol to handle failures if we want robust implementations.
> 
> Is this group active enough to fix such issues?

Oops.

I don't see that the HTTP Signature document mentions this either.
https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ <https://datatracker.ietf.org/doc/draft-cavage-http-signatures/>

My guess is that whatever the answer for WebID-TLS is it would be the same for HTTP-Signature too.
And my guess is that they will tell us to look at the HTTP 2.0 spec for the correct response codes.

Still it would be good to see if we are in agreement here about this.

I am not sure if there is a mailing list for http-signatures. I can't find one referenced from the IETF Doc.

Henry

> 
> 
> Martynas
Received on Wednesday, 28 June 2017 05:22:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 28 June 2017 05:22:29 UTC