Re: Web Keys and HTTP Signatures

In the IETF Websec WG we call the use of MACs to bind requests (and
responses) to sessions: "session continuation".

There have been... many specific proposals and even deployed
protocols, like yours.

We really do need a standard method for session continuation.

Session continuation is predicated on having a session key already
exchanged, possibly by an authentication mechanism.  We'd like to
separate the two things: session continuation on the one hand, and key
exchange (and authentication) on the other.

If your protocol is mature enough it might well be the one we should
adopt.  I urge you to subscribe to websec@ietf.org and help us :)

Nico
--

Received on Monday, 8 July 2013 00:22:21 UTC