liamdennehy
commented
5 years ago Any chance you can refer to this as "Signing HTTP Messages", the formal title of the specification?
Open bblfish opened 5 years ago
liamdennehy
commented
5 years ago Any chance you can refer to this as "Signing HTTP Messages", the formal title of the specification?
bblfish
commented
5 years ago I added the full title for the link to the spec, and then I added a shorthand Http-Sig as the full spec title is a bit long.
dlongley
commented
5 years ago @bblfish -- We'll have to figure out how to get convergence here with Linked Data Proofs (specifically parts of Linked Data Signatures and Keys) as what you've written up follows what is already being done with HTTP signatures in a variety of systems.
In short, some systems are using a URL with a hash for the keyId where that URL identifies an LD key that, when dereferenced, includes public key material and a link to its controller. That controller, when dereferenced, specifies the authorized verification methods (public keys), establishing bidirectional linkage. All of this uses RDF/JSON-LD and mirrors (very closely at least) what happens with WebID.
bblfish
commented
4 years ago There were a couple of discussions on the Solid group of the initial proposal, with meeting notes listed here.
The first was with a longer but with only 3 members present, the second was shorter but with a number of people of which the CTO of Inrupt.
Perhaps it would be worth chatting to a some people here about those meetings, so I can understand the larger context in which "Signing HTTP Messages" is now active. This will help me build the argument up further.
Presumably did spec, web credentials, etc....
bblfish
commented
2 years ago In the mean time, Signing Http Messagesmoved to the IETF. I have now implemented version 07 of the spec there. The implementation is available in the httpSig repo. Currently it works with JVM based Akka. I going to try to get it to work for http4s next so I can use it in the the browser with JS - and it could also be made to work on nodejs.
My EU finding is coming to an end, so if anyone has real needs for other implementations this is the best time to contact me.
bblfish
commented
2 years ago Btw I now have released first SNAPSHOT packages for Java and JavaScript (in the browser, NodeJS can be done later) of "Signing HTTP Messages 07" which I want to later use for HttpSig authentication. The code is at the httpSig repo. https://oss.sonatype.org/content/repositories/snapshots/net/bblfish/crypto/
I have just written out a small very initial proposal for how one could develop HTTP-Signatures so that the
keyIdis dereferenceable, opening a path for HTTP-Signatures to be used in a wider context.https://github.com/bblfish/authentication-panel/blob/master/HttpSignature.md
I thought that this could be of interest to the community of HTTP-Signature specialists, and would appreciate any feedback. See also isssue 18 of solid authentication panel.