- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Fri, 19 Apr 2013 11:58:05 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>
- CC: IETF HTTP Auth <http-auth@ietf.org>, IETF Apps Discuss <apps-discuss@ietf.org>, Web Payments CG <public-webpayments@w3.org>
Hi Manu, Just on the HOBA bit... On 04/18/2013 10:27 PM, Manu Sporny wrote: > > HTTP Origin-Bound Authentication (HOBA) > http://tools.ietf.org/id/draft-farrell-httpbis-hoba-02.txt > > We had considered signatures in the URL in the second approach to the > problem in the Web Keys spec. We eventually rejected the solution > because of limitations in the URL length in some browsers and because we > wanted the semantics of the HTTP headers to be able to be a part of the > digital signature. We also didn't want large signed messages being > dumped to the webserver logs (the request line is typically included). > So, while HOBA does solve the problem, it doesn't solve it in a way that > is acceptable to us. I think you're misreading the spec a little, or we've written it badly:-) The HTTP scheme in HOBA is an HTTP authentication scheme so I don't know what you mean when you say putting the signatures in the URLs, since we don't do that. I think its that part (section 4 of the HOBA draft) where there's most in common between these, but also section 6. The non-normative JS stuff does say to put the signature in the URL though yes, but is quite a work-in-progress. That section is really there to demonstrate that a site could do the moral equivalent of HOBA without waiting for all UAs to implement the spec. so e.g., if forms made for a better example that'd be ok too I think (not sure if my co-authors agree though). But your points about message size and logs are reasonable. HOBA is just about public key methods, not HMAC which is a real difference. All in all your stuff and this looks quite similar to me, so I'd say we should talk all right. Cheers, S.
Received on Friday, 19 April 2013 10:58:26 UTC