W3C home > Mailing lists > Public > public-xg-webid@w3.org > September 2011

Fwd: New PaySwarm 1.0 Web API Editor's Draft

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 26 Sep 2011 14:39:03 +0200
Message-ID: <CAKaEYh+fkAaRSgGJ+G68FMDsZ9AeVA4ao=LVJiuq8p0vBEFFVg@mail.gmail.com>
To: WebID XG <public-xg-webid@w3.org>, foaf-protocols@lists.foaf-project.org

Note the security vocab:

2. Classes

    2.1 EncryptedMessage
    2.2 Key
    2.3 Signature
    2.4 JsonldSignature
    2.5 XmlSignature

3. Properties

    3.1 cipher
    3.2 data
    3.3 digestAlgorithm
    3.4 iv
    3.5 nonce
    3.6 normalizationAlgorithm
    3.7 password
    3.8 privateKeyPem
    3.9 publicKey
    3.10 publicKeyPem
    3.11 signature
    3.12 signatureFor
    3.13 signer
    3.14 signatureValue
    3.15 signingAlgorithm

---------- Forwarded message ----------
From: Manu Sporny <msporny@digitalbazaar.com>
Date: 26 September 2011 06:58
Subject: New PaySwarm 1.0 Web API Editor's Draft
To: Web Payments <public-webpayments@w3.org>

Hi all,

Quite a bit of work has gone into the new public/private key based
PaySwarm protocol over the past week. The early sections of the spec
are starting to take shape. The latest Editor's Draft of the PaySwarm
1.0 Web API spec is available here:


A diff-marked version from the previous draft is available here:


The latest changes include the addition of the following sections:

4. Communication
 4.1  Requests and Responses
 4.2  Communication Terms
 4.3  Request Signature Algorithm
 4.4  Request Signature Verification Algorithm
 4.5  Response Encryption Algorithm


These sections outline how messages are secured between sites, even if
the sites do not have access to a valid security certificate (like
most WordPress sites). This is a step away from the OAuth 1.0a flow
that we implemented for the latest http://dev.payswarm.com/ website
and allows for a simpler implementation and code-path in many cases.
It turns out that OAuth 1.0a adds complexity to the process when we
were attempting to remove complexity by using it. This is not OAuth's
fault - we require digital signatures for most of our system so
implementing OAuth along-side it is a bit redundant at times.

The prose in the Registration Process has also been updated to flow a
bit more nicely and a number of technical errors have been fixed.

Additionally, it became apparent that the Signature Vocabulary was not
going to be good enough any longer and so it morphed into the Security
Vocabulary over the past week:


I have already submitted a request for a permanent URL for this
vocabulary and the entry for the "sec" prefix has been entered in

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Standardizing Payment Links - Why Online Tipping has Failed
Received on Monday, 26 September 2011 12:39:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:46 UTC