Re: Review Request for third draft of "Signing HTTP Messages" from Melvin Carvalho on 2014-05-08 (public-webpayments@w3.org from May 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 9 May 2014 00:53:55 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: IETF HTTP Auth <http-auth@ietf.org>, Web Payments CG <public-webpayments@w3.org>, Mark Nottingham <mnot@mnot.net>, Mark Cavage <mark.cavage@joyent.com>, Julian Reschke <julian.reschke@gmx.de>
Message-ID: <CAKaEYhLLUTEFm3Fjki1JMwKhyni_203LxzbfOdffeKKK0JYJ6g@mail.gmail.com>

On 8 May 2014 23:41, Manu Sporny <msporny@digitalbazaar.com> wrote:

> After feedback from Mark Nottingham[1], Julian Reschke[2], folks in the
> HTTP Auth WG, and people in the Web Payments CG, we've modified the HTTP
> Signatures specification in the following ways:
>
> 1. The specification has been renamed to "Signing HTTP Messages".
> 2. The specification now covers both a signature-based Authorization
>    mechanism (client-to-server) as well as a general mechanism to sign
>    HTTP messages (client-to-server and server-to-client).
> 3. A new "Signature" header has been introduced.
> 4. The layout has been modified heavily to streamline the information
>    conveyed in the spec.
> 5. New registries have been created for the algorithms referred to in
>    the specification.
>

Thanks for updating this, it looks great.

One thing, I'm slightly confused as to how algorithms should be specified.

For example: SHA256

Appears in the document and both lower case and upper case.

It also appears both with a hyphen and without a hyphen.

I'm also currently using sha-256 as specified in RFC 6920

I'd like to start using things like ECDSA signature as defined in crypto
currencies, but I am finding it challenging to find an easy to spot pattern
in the naming.

Any guidance would be appreciated.



> 6. We're now more specific in the way certain canonicalizations are
>    performed.
> 7. More examples have been added, including how to digitally sign
>    the body of an HTTP message.
>
> The basic mechanism of generating the signatures has not changed (and
> has been stable for over a year).
>
> The newest spec can be found here:
>
> http://tools.ietf.org/html/draft-cavage-http-signatures-02
>
> The diff is here:
>
> http://tools.ietf.org/rfcdiff?url2=draft-cavage-http-signatures-02.txt
>
> Matt, Yoav, Kathleen, if there are no show stopping review comments, I'd
> like to push this spec onto the RFC track in the HTTP Auth WG, or
> HTTPbis/2 WG. It'll be ready for a LC in a month or two. I realize that
> HTTP Auth may be shutting down next month, so what's the next step to
> get the HTTP Signatures spec further down the IETF RFC track?
>
> -- manu
>
> [1]
> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0038.html
> [2]
> http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0036.html
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
>
>

Received on Thursday, 8 May 2014 22:54:24 UTC