- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 24 Jun 2013 00:37:44 -0400
- To: Mark Cavage <mark.cavage@joyent.com>
- CC: Web Payments <public-webpayments@w3.org>, IETF HTTP Auth <http-auth@ietf.org>
This is mostly directed at Mark Cavage, but thought it would be good to keep the Web Payments and HTTP Auth groups apprised of the situation. We had a quick 5 minute discussion on the #payswarm IRC channel about the optional features of HTTP signatures last week. Dave Lehn really didn't like that we were complicating the HTTP Signatures spec by talking about nonces (for HTTP) and HTTP trailer signatures. Dave Longley suggested that we move all optional features of HTTP Signatures spec into a separate spec. This would have two positive outcomes: 1. It would make it so that we can focus on the core spec and push that forward at IETF. 2. It would reduce the "aww, man - not nonces again!" complaints. While we do have a pretty solid plan for nonces and trailers[1], we may not want to burn the time on ironing out all of the gory details right now since we don't have anyone demanding that HTTP Signatures work over an unencrypted connection. Ben Adida pointed me at this spec when I mentioned that we were working on HTTP Signatures (he's a co-author of the Hawk protocol): https://github.com/hueniverse/hawk A couple of takeaways from that implementation: * The way they do time synchronization is interesting. * The way they do nonces is basically the same approach we take. * Theirs is an HMAC solution, which we really, really, don't want to support. * Bewit is interesting, but I don't think it has a place in HTTP Signatures. * We want to integrate most of their security considerations section into the HTTP Signatures Security Considerations document. -- manu [1] https://payswarm.com/minutes/2013-06-19/ -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Monday, 24 June 2013 04:38:15 UTC