- From: Tim Holborn <timothy.holborn@gmail.com>
- Date: Fri, 4 Jul 2014 12:41:08 +1000
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments CG <public-webpayments@w3.org>
- Message-Id: <615ADA89-1499-43FC-BAE9-C5490EFC8BBC@gmail.com>
some other solutions out there have potential i.e. http://storj.io/ On 4 Jul 2014, at 12:20 pm, Manu Sporny <msporny@digitalbazaar.com> wrote: > On 07/03/2014 02:58 PM, Adrian Hope-Bailie wrote: >> Am I missing something or is this HTTP-Signatures with a small >> twist? > > If you're missing something, I'm missing it too. It seems like a really > restricted subset of HTTP-Signatures with a lock-in to the crypto > algorithm and "things that you can sign" with a few major security holes > thrown in. > > Features that are missing from the solution that HTTP Signatures has: > > * Ability to digitally sign HTTP headers (because you can do a lot of > nasty things by modifying important headers... like 'Location:' ). > * Ability to not sign the body if that doesn't make sense (like when > you're streaming GBs of data or using trailers or ...) > * Ability to sign the HTTP method, which is really important: > GET /me/accounts/life-savings > DELETE /me/accounts/life-savings > * Ability to identify keys in a greater variety of ways > (URL, fingerprint, etc.) > * The server can specify when it expects a digital signature when > accessing a resource. > * Easy to share keys between clusters of clients. > * HMAC support, because there are legitimate uses of it even though > it's bad in general. > * Ability to select the key format and signing algorithm > > I'm going to stop there, but the solution seems questionable. There's > nothing in there that I can see that the HTTP Signatures spec doesn't > already do. > >> The only thing that makes it similar in any way to BitCoin is the >> use of a ECDSA secp256k1 keypair > > Bitcoin is great so this must be great if it even uses a fraction of > Bitcoin technology, right? Marketing, marketing, marketing! :P > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: The Marathonic Dawn of Web Payments > http://manu.sporny.org/2014/dawn-of-web-payments/ >
Received on Friday, 4 July 2014 02:44:18 UTC