Re: Web Keys and HTTP Signatures

On 04/18/2013 04:11 AM, Carsten Bormann wrote:
>> It seems like a simple fix would be to include the list of headers
>> under the signature as the first item.
> 
> Obviously.
> 
> The reason I didn't give this fix is that this just amounts to
> handing out more rope.
> 
> It seems to me the community may not have the resources to come up
> with a secure spec on their own. I'd rather motivate them to spend
> some quality time with security experts than just throw "fixes"  for
> the immediately obvious problems over the wall, somehow hoping nobody
> will find the deeper ones.

Carsten, this particular response is not helpful because:

1. You seem to be claiming to have knowledge about the proposed fix that
   makes it seem like the solution is a dead-end, yet you don't
   elaborate upon the claim.
2. You seem to be insinuating that there are deeper problems with the
   HTTP Signatures approach without expanding upon what those may be.
3. You make an appeal to authority (re: the "security experts" will be
   able to help.) without knowing who wrote the specifications,
   who is reading this thread and commenting elsewhere, nor who has
   already reviewed the specifications.

The reason we sent the initial message out was because we wanted
feedback from various communities, including the "security experts"
whoever those people may be. Responses like the one you make above don't
actually help us identify issues in the protocol or approach that are
being taken. I know that you probably did not mean to come across as
condescending or patronizing, but you have.

I'd like us to focus on technical issues and helping each other rather
than the sort of exchange above.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

Received on Thursday, 18 April 2013 17:24:25 UTC