Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpSig #125
HttpSig #125
Changes from 1 commit
e686fea
d563df7
91a7f45
18d8d76
535c436
c57a3c2
bdee29f
6286ac0
7d7153a
43c3989
bfe1677
745a783
817141f
b014890
7ae6154
2ae6c3a
fe2f8b2
4dcf550
2fb7d20
d360c9f
526b490
9965ff9
eba19d1
636c47d
c8c3d7e
6236b81
9364c93
f428718
6f3ded4
89bb2ca
a9d617b
b791faa
500c9a5
b8c9a47
4f190ea
f285937
b04dd9a
7186efa
6dd9563
7fe5fca
4c2b449
788e13f
f33de24
d158f1c
01ea0f3
1a33f02
693d579
121b223
3be6550
545a452
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps an alternative would be to include
keyId
in the field-value ofWWW-Authenticate
. Bonus: 1) efficient; one less connection 2) flexible; no need to hop through a specific access control system.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
WWW-Authenticate: HttpSig
header is sent by the server to the client. TheHttpSig
method is meant to indicate to the client that it can use "Signing Http Messages" with thekeyId
used as URL.It could send the content of the ACL in the body so not requiring an extra connection (or with HTTP/2 the server can send it ahead of being asked).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly. If so, should probably be wrapped in Problem Details in response body eg solid/specification#28
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't fully thought this through (and it is late late night..) but there may be some dependency/expectation that the URI is persistent in that a particular key (resource) is allocated to the URI. If the key resource ever changes but the resource server still uses the cached copy, client may not ever be able to authenticate until cache is cleared. So, either a good practice is encouraged (which is not different than the general best practice of URI Persistence as per AWWW) or there needs to be a way to bust the cache... or don't cache. Todo: more thinking/implementing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think that type of problem works itself out with experience, and the process followed by the server will depend on how serious the threat is. It the key on the server or with the P2P connection option on the client, these things get to be a lot simpler. With
did:key
s the key comes along with the message.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps the Web Of Trust RDF Ontology. I use both cert and wot eg. the wot snippet: