Why is the Web Payments group working on HTTP Signatures?

• From: Manu Sporny <msporny@digitalbazaar.com>
• Date: Wed, 12 Jun 2013 16:59:46 -0400
• To: Web Payments CG <public-webpayments@w3.org>
• Message-ID: <51B8E142.5090306@digitalbazaar.com>

I've received a couple of private "Why is the Web Payments group working
on HTTP Signatures?" questions, so decided to write a quick summary blog
post about it here:

http://manu.sporny.org/2013/http-signatures/

The bottom line is that the PaySwarm spec needs to enable people to do
things like pay people, retrieve digital receipts, and perform other
financial housekeeping functions from outside of a Web browser environment.

For example, being able to pay someone from a native app is an important
use case. Requesting payment from the command line (a Web developer
billing their customers) is another one. HTTP Signatures, coupled with
the Web Keys specification, enables these sorts of scenarios.

Full text of the article above is included below:
--------------------------------------------------------------------

                 Verifiable Messaging over HTTP

   Problem: Figure out a simple way to enable a Web client or
   server to authenticate and authorize itself to do a REST API
   call. Do this in one HTTP round-trip.

   There is a new specification that is making the rounds called
   [1]HTTP Signatures. It enables a Web client or server to
   authenticate and authorize itself when doing a REST API call and
   only requires one HTTP round-trip to accomplish the feat. The
   meat of the spec is 5 pages long, and the technology is simple
   and awesome.

   We’re working on this spec in the Web Payments group at the
   World Wide Web Consortium because it’s going to be a fundamental
   part of the payment architecture we’re building into the core of
   the Web. When you send money to or receive money from someone,
   you want to make sure that the transaction is secure. HTTP
   Signatures help to secure that financial transaction.

   However, the really great thing about HTTP Signatures is that it
   can be applied anywhere password or OAuth-based authentication
   and authorization is used today. Passwords, and shared secrets
   in general, are increasingly becoming a [2]problem on the Web.
   [3]OAuth 2 sucks for a number of reasons. It’s time for
   something simpler and more powerful.

   HTTP Signatures:

    1. Work over both HTTP and HTTPS. You don’t need to spend money
       on expensive SSL/TLS security certificates to use it.
    2. Protect messages sent over HTTP or HTTPS by digitally
       signing the contents, ensuring that the data cannot be
       tampered with in transit. In the case that HTTPS security is
       [4]breached, it provides an additional layer of protection.
    3. Identify the signer and establish a certain level of
       authorization to perform actions over a REST API. It’s like
       OAuth, only way simpler.

   When coupled with the [5]Web Keys specification, HTTP
   Signatures:

    1. Provide a mechanism where the digital signature key does not
       need to be registered in advance with the server. The server
       can automatically discover the key from the message and
       determine what level of access the client should have.
    2. Enable a fully distributed Public Key Infrastructure for the
       Web. This opens up new ways to more securely communicate
       over the Web, which is timely considering the recent news
       concerning the [6]PRISM surveillance program.

   If you’re interested in learning more about HTTP Signatures, the
   meat of the [7]spec is 5 pages long and is a pretty quick read.
   You can also read (or listen to) the meeting notes where we
   discuss the HTTP Signatures spec [8]a week ago, or [9]today. If
   you want to keep up with how the spec is progressing, [10]join
   the Web Payments mailing list.

References

   1. http://tools.ietf.org/html/draft-cavage-http-signatures-00
   2.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
   3. http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
   4. https://www.eff.org/deeplinks/2011/10/how-secure-https-today
   5. https://payswarm.com/specs/source/web-keys/
   6. http://en.wikipedia.org/wiki/PRISM_(surveillance_program)
   7. http://tools.ietf.org/html/draft-cavage-http-signatures-00
   8. https://payswarm.com/minutes/2013-06-05/
   9. https://payswarm.com/minutes/2013-06-12/
  10. http://lists.w3.org/Archives/Public/public-webpayments/

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

Received on Wednesday, 12 June 2013 21:00:09 UTC