Re: Secure Messaging and HTTP Signatures from Manu Sporny on 2014-02-12 (public-webpayments@w3.org from February 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 12 Feb 2014 11:30:55 -0500
To: public-webpayments@w3.org
Message-ID: <52FBA1BF.4000001@digitalbazaar.com>

On 02/12/2014 03:15 AM, Melvin Carvalho wrote:
> Am I right to say that for signatures, the signature is in the HTTP 
> headers, but for secure messaging the data is stored in the message 
> body.

Hmm, let me rephrase that a bit:

For HTTP Signatures, the information that is digitally signed are the
headers of the HTTP message.

For Secure Messaging, the information that is digitally signed is the
JSON-LD data.

An HTTP Signature may digitally sign both the headers and a content hash
of the JSON-LD data.

A Secure Message may only sign the content of the JSON-LD data.

> If that's correct, why are these done in different places?

Explained here (at the end of the email):

http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0002.html

The general answer is that they're two different types of
authentication. HTTP Signatures are meant to be client or server
authentication (the agent making the call). Secure Messaging is meant to
be message authentication (the agent that created the message). In many
cases they're the same thing, but not always.

For example, here's where they're the same thing:

Melvin's user agent makes a call to a REST API to send $1 from Melvin to
Manu. In this case, the agent making the call and the agent that signed
the message are the same.

Here's an example where they're different:

Melvin's user agent makes a call to a REST API with a message from Manu
that says to pay him $1.

The first use case is a simple online transaction. The second use case
is an offline transaction. Does that make sense?

> The reason that I ask is that in crypto currencies such at bitcoin 
> the signature appears in the message body, rather than, the header.

The Bitcoin header and an HTTP header are two very different things,
it's difficult to draw parallels between them. In this particular case,
I believe the authentication for a Bitcoin header comes from the proof
of work on the block performed by a miner (but I may be wrong about
this). Since there is no such proof-of-work for an HTTP header, it needs
some other form of authentication mechanism to verify that a particular
agent is allowed to perform a particular action on a certain URL.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Wednesday, 12 February 2014 16:31:17 UTC