Re: Secure Messaging and HTTP Signatures

On 12 February 2014 17:30, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 02/12/2014 03:15 AM, Melvin Carvalho wrote:
> > Am I right to say that for signatures, the signature is in the HTTP
> > headers, but for secure messaging the data is stored in the message
> > body.
>
> Hmm, let me rephrase that a bit:
>
> For HTTP Signatures, the information that is digitally signed are the
> headers of the HTTP message.
>
> For Secure Messaging, the information that is digitally signed is the
> JSON-LD data.
>
> An HTTP Signature may digitally sign both the headers and a content hash
> of the JSON-LD data.
>
> A Secure Message may only sign the content of the JSON-LD data.
>
> > If that's correct, why are these done in different places?
>
> Explained here (at the end of the email):
>
> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0002.html
>
> The general answer is that they're two different types of
> authentication. HTTP Signatures are meant to be client or server
> authentication (the agent making the call). Secure Messaging is meant to
> be message authentication (the agent that created the message). In many
> cases they're the same thing, but not always.
>
> For example, here's where they're the same thing:
>
> Melvin's user agent makes a call to a REST API to send $1 from Melvin to
> Manu. In this case, the agent making the call and the agent that signed
> the message are the same.
>
> Here's an example where they're different:
>
> Melvin's user agent makes a call to a REST API with a message from Manu
> that says to pay him $1.
>
> The first use case is a simple online transaction. The second use case
> is an offline transaction. Does that make sense?
>

Makes sense thanks.  So I'm interested in signing parts of messages,
therefore, I should use the "sec" vocab I think ...


>
> > The reason that I ask is that in crypto currencies such at bitcoin
> > the signature appears in the message body, rather than, the header.
>
> The Bitcoin header and an HTTP header are two very different things,
> it's difficult to draw parallels between them. In this particular case,
> I believe the authentication for a Bitcoin header comes from the proof
> of work on the block performed by a miner (but I may be wrong about
> this). Since there is no such proof-of-work for an HTTP header, it needs
> some other form of authentication mechanism to verify that a particular
> agent is allowed to perform a particular action on a certain URL.
>

There are different, but there are similarities.  Mainly the
container/content aesthetic.  The web was designed to be a like a piece of
paper, ie the content should be independent of the medium.  The bitcoin
header is just a pointer to two content addressable hashes, one for the
previous item (to create a linked list) and one to the content.

The final field, the proof of work, operates to reduce a number of
competing chains into a single chain that it is consensus to work on via
"longest chain wins".

You could think of the block chain as a trail of documents (transactions)
to create a finite state machine (ledger).  Tim anticipated all of this to
a certain extent in his "paper trail" article:

http://www.w3.org/DesignIssues/PaperTrail


>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Worlds First Web Payments Workshop
> http://www.w3.org/2013/10/payments/
>
>