Re: Lift nonces / trailers into separate spec from Melvin Carvalho on 2013-06-25 (public-webpayments@w3.org from June 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 25 Jun 2013 12:27:43 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Mark Cavage <mark.cavage@joyent.com>, Web Payments <public-webpayments@w3.org>, IETF HTTP Auth <http-auth@ietf.org>
Message-ID: <CAKaEYhKAsKC1By37vujpLdN8pmdhCH67HGMx=ksbOYCrpwqP+A@mail.gmail.com>

On 24 June 2013 06:37, Manu Sporny <msporny@digitalbazaar.com> wrote:

> This is mostly directed at Mark Cavage, but thought it would be good to
> keep the Web Payments and HTTP Auth groups apprised of the situation.
>
> We had a quick 5 minute discussion on the #payswarm IRC channel about
> the optional features of HTTP signatures last week. Dave Lehn really
> didn't like that we were complicating the HTTP Signatures spec by
> talking about nonces (for HTTP) and HTTP trailer signatures. Dave
> Longley suggested that we move all optional features of HTTP Signatures
> spec into a separate spec.
>
> This would have two positive outcomes:
>
> 1. It would make it so that we can focus on the core spec and push
>    that forward at IETF.
> 2. It would reduce the "aww, man - not nonces again!" complaints.
>

Nonces play a key role in bitcoin and ripple, I'd be keen to reuse them,
but dont mind it moving to another spec.  It will be in the same vocab,
right?


>
> While we do have a pretty solid plan for nonces and trailers[1], we may
> not want to burn the time on ironing out all of the gory details right
> now since we don't have anyone demanding that HTTP Signatures work over
> an unencrypted connection.
>
> Ben Adida pointed me at this spec when I mentioned that we were working
> on HTTP Signatures (he's a co-author of the Hawk protocol):
>
> https://github.com/hueniverse/hawk
>
> A couple of takeaways from that implementation:
>
> * The way they do time synchronization is interesting.
> * The way they do nonces is basically the same approach we take.
> * Theirs is an HMAC solution, which we really, really,
>   don't want to support.
> * Bewit is interesting, but I don't think it has a place in HTTP
>   Signatures.
> * We want to integrate most of their security considerations section
>   into the HTTP Signatures Security Considerations document.
>

I've started looking at Hawk, it looks very interesting indeed.  Eran of
course was one of the people behind OAuth, and Hawk aims to address some of
OAuth's weaknesses.  I asked Eran if it was possible to identify yourself
to a server using a URI (something which most Identity systems cant do),
and he said that it should be possible.  So I have to say this looks very
promising!


>
> -- manu
>
> [1] https://payswarm.com/minutes/2013-06-19/
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/launch/
>
>

Received on Tuesday, 25 June 2013 10:28:11 UTC