Re: HTTP Signatures specification updated from Anders Rundgren on 2014-02-04 (public-webpayments@w3.org from February 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 04 Feb 2014 09:51:13 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>
CC: Web Payments <public-webpayments@w3.org>
Message-ID: <52F0AA01.6000208@gmail.com>
On 2014-02-04 07:36, Melvin Carvalho wrote:
>
>
>
> On 1 February 2014 19:54, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
>
>     In order to make Web Payments (and REST APIs in general) more secure on
>     the Web, this group has been working on extensions to the HTTP protocol
>     so that you can digitally sign HTTP headers and content.
>
>     We just pushed an update to the specification and believe that it's
>     ready for public comment. The specification is already deployed in
>     production at Joyent and Digital Bazaar:
>
>     http://tools.ietf.org/html/draft-cavage-http-signatures-01
>
>     This technology is useful when you just need to make a secure request to
>     your financial provider to transmit money from you to someone else, make
>     a payment, create an invoice, etc. without having to perform a login
>     handshake (OAuth, user+pass, etc.).
>
>     This is what a payment request looks like using this specification:
>
>     POST /transactions HTTP/1.1
>     Host: payments.example.com <http://payments.example.com>
>     Date: Sat, 01 Feb 2014 21:31:40 GMT
>     Content-type: application/ld+json
>     Digest: SHA-256=ZjQ1MjU1ZWNhNWUwZWM4N2...yAqdGVzdAo=
>     Content-length: 525
>     Authorization: Signature
>       keyId="http://bluebank.com/people/john/keys/5",
>       algorithm="rsa-sha256",
>       headers="request-line host date content-type digest content-length",
>       signature="jgSqYK0yKc...ZZItOuhIs78w="
>
>     {
>       "@context": "https://w3id.org/payswarm/v1",
>       "type": "Transaction"
>       "transfer": {
>         "type": "Transfer",
>         "amount": "7.50",
>         "currency": "USD",
>         "source": "https://bluebank.com/people/john/accounts/party-funds",
>         "destination": "https://redbank.com/people/jane/accounts/hosting",
>         "comment": "Chipping in for the Pizza Party tomorrow."
>       },
>       "signature": {
>         "type": "GraphSignature2013",
>         "created": "2011-09-23T20:21:34Z",
>         "signer": "http://bluebank.com/people/john/keys/5",
>         "signatureValue": "ExMgoDIyOGQzNGVkMzVmmM...yZTkZDYMI="
>       }
>     }
>     Question: How are duplicates handled? 
>

Melvin,
This is a generic problem.  In a system developed by the EU for dealing with e-passports
over the border they "forgot" to say to the implementers how to deal with duplicates which have
created a nightmare of non-interoperability.

If I were to rule, duplicates should be tolerated but of course not generate a new
transaction.   This requires that each message carries a (for the sender) unique ID but that
is pretty much standard.  Date doesn't IMO suffice.

Anders

>     An astute reader might recognize that there are two signatures in this
>     request. The first one is on the HTTP message, the second one is on the
>     transaction. This is done because the first signature is designed to
>     authenticate the client (person or organization making the call). The
>     second signature is designed to authenticate the request (which may have
>     been made by a different person or organization than the entity making
>     the request). This dual-signature approach allows agents to relay
>     financial requests on behalf of other people or organizations. One
>     optimization would be to remove the signature in the message so that
>     only one signature is necessary for this type of transaction.
>
>     The HTTP Signatures specification is utilized by the Web Payments
>     specification, the Secure Messaging specification, and the Web Identity
>     specification, which are then used by most every other specification
>     that this group is working on that requires REST API authentication.
>
>
> Is there a possible replay attack where the same transaction may be actioned more than the intended number of times?
>  
>
>
>     -- manu
>
>     --
>     Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>     Founder/CEO - Digital Bazaar, Inc.
>     blog: The Worlds First Web Payments Workshop
>     http://www.w3.org/2013/10/payments/
>
>
Received on Tuesday, 4 February 2014 08:51:45 UTC