Re: HTTP Signatures draft published at IETF

On 12 May 2013 04:54, Mark Nottingham <mnot@mnot.net> wrote:

> On 12/05/2013, at 12:45 PM, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
> >
> >
> >
> > On 10 May 2013 02:05, Mark Nottingham <mnot@mnot.net> wrote:
> > Hi,
> >
> > From's semantics and syntax are well-defined, and they are in use. If
> you want to do this, I'd suggest defining a new header, or a new link
> relation (to use in Link); From isn't going to fly.
> >
> > Why?
>
> Because making backwards-incompatible changes to the syntax and semantics
> of the most widely deployed application protocol on the planet is bad for
> interoperability.
>
> Why are you so keen on redefining From?
>

Perhaps I can give some high level thoughts on the motivation, consider
three widely deployed communication systems.  Email, the telephone and the
postal service.  Clearly with each of these three, the critical thing is to
know the identifier of the recipient.  ie a mailto: email address, a tel:
telephone number, or a physical address.

However in each of these 3 cases, one important addition is often to be
able to send, in addition, the identity of the sender.  The possible
reasons are should be apparent, and in each case, the identity is sent in
the form which is similar to that of the identity of the recipient.  It's
not limited to these 3, in most communication systems the concepts of "to"
and "from" are fundamental.

HTTP currently differs in this respect, in that it's not obvious how to
identify to the recipient who the request is from (using HTTP
identifiers).  Some information is sent about the user AGENT, but this is
not the actual user.  Some information could is often sent in a cookie, but
that perhaps is not ideal.  It may be possible to send an email id in the
"from" header, but that's not like for like.  I believe Tim always hoped
the web to be a social system, with http used to identify people, places
and things.

The "from" header, at least at first glance may seem like a natural place
for this, so we were just trying to work out the pros and cons of reuse.

Backwards compatibility is always a key consideration, and we would hope to
break as little as possible, so could we examine the effect or possible
reuse?

I dont think the RFC prohibits using an http identity in this field, unless
I am mistaken.  Maybe we can establish a non breaking change or work out
some cost/benefit analysis?

Hope that makes sense!



>
>
> >
> >
> > Regards,
> >
> >
> > On 09/05/2013, at 7:18 PM, ☮ elf Pavlik ☮ <perpetual-tripper@wwelves.org>
> wrote:
> >
> > > Excerpts from Kingsley Idehen's message of 2013-05-08 20:29:19 +0000:
> > >> On 5/7/13 2:12 PM, Melvin Carvalho wrote:
> > >>>
> > >>> On 7 May 2013 19:01, Manu Sporny <msporny@digitalbazaar.com
> > >>> <mailto:msporny@digitalbazaar.com>> wrote:
> > >>>
> > >>>    On 05/07/2013 04:04 AM, Melvin Carvalho wrote:
> > >>>> Yeah, I'll ping Julian Reschke or Mark Nottingham about it to see if
> > >>>> we can update the HTTP header field easily.
> > >>>>
> > >>>> +1
> > >>>>
> > >>>> There have been proponents of this for many years e.g. Toby, Nathan,
> > >>>> Kingsley, myself ... just need to get the spec tweaked to
> > >>>> distinguish between strings and URIs.
> > >>>
> > >>>    Do one of you want to take the lead on this? :)
> > >>>
> > >>>
> > >>> Sure, I would be happy to.  Kingsley already asked Mark Nottingham
> > >>> about this last month.  Im unsure what the most productive next steps
> > >>> should be.
> > >> Mark,
> > >>
> > >> Another dimension to the same issue.
> > >>
> > >> We can loosen the HTTP spec requirements for "From:" without
> disrupting
> > >> existing products that assume the header value is an Email address.
> > >>
> > >> All:
> > >>
> > >> Do we have any data about how broad current use of "From:" actually
> is?
> > > +1 on allowing URI in "From:" request header :)
> > >
> > > I set it myself to email for about 2 years now using firefox
> extension: http://www.garethhunt.com/modifyheaders
> > >
> > > I also mentioned it in this email with link to work of Blaine Cook on
> *Privacy-over-Webfinger*
> > >
> https://groups.google.com/group/webfinger/browse_thread/thread/52599662c273a043
> > >
> > > warning: mentioned thread got mixed with another thread so few
> messages went off topic first!
> >
> > --
> > Mark Nottingham   http://www.mnot.net/
> >
> >
> >
> >
> >
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>

Received on Tuesday, 14 May 2013 08:49:28 UTC