Re: HTTP Signatures draft published at IETF from Kingsley Idehen on 2013-05-06 (public-webpayments@w3.org from May 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 06 May 2013 09:24:40 -0400
To: public-webpayments@w3.org
Message-ID: <5187AF18.2010808@openlinksw.com>

On 5/4/13 6:28 PM, Manu Sporny wrote:
> The HTTP Signatures spec is a digital signature mechanism for the HTTP
> protocol. It adds origin authentication, message integrity, and replay
> resistance to HTTP requests. This is useful for any application that
> currently depends on Basic, Digest, OAuth, or OAuth2 authentication when
> performing RESTful HTTP calls.
>
> Basically, if a client needs to prove to a server that it sent an
> HTTP-based message, it can digitally sign that message. This spec
> defines exactly how that happens.
>
> This spec will be used by the Web Payments / PaySwarm / Web Keys work.
> We're going to combine the public/private key-based signature mechanism
> defined in HTTP Signatures with the public key infrastructure system as
> defined in Web Keys to provide an easy way for nodes on the Internet to
> verify their identity to other nodes on the Internet.
>
> The first draft of this spec was just published via the Internet
> Engineering Task Force (IETF) earlier today:
>
> http://tools.ietf.org/html/draft-cavage-http-signatures-00
>
> You can also find a datetime-stamped version of the spec here:
>
> https://payswarm.com/specs/ED/http-signatures/2013-05-04/
>
> The latest version of the spec can be found on the PaySwarm specs page:
>
> https://payswarm.com/specs/
>
> -- manu
>
Manu,

Have you considered using this effort to get IETF folks to understand 
why the "From:" header needn't be maito: URI scheme specific? If we can 
get that changed, you have a nice point of integration for URIs that 
denote entities which opens up nice integration for profile graphs that 
enable simple augmentation of semantically rich rules to this protocol, 
as an option.

Right now, I could pull off what I describe by using a Linked Data URI 
that denotes a public key for the keyid. Basically, the URI would 
resolve to a public key that I use to verify the signed payload.

If we have the "From:" header extended to support URIs rather than 
mailto: URIs only, one could then use a Linked URI that denotes an Agent 
as mechanism for accessing a public key used to verify signed payloads.

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 6 May 2013 13:24:55 UTC