HTTP headers are global to the entire message being transmitted. So, if the message body is aggregated from multiple sources, each of which signed their originals, how would you match signatures in the header to subcomponents of the message in a format-independent manner? Or, do you simply say that aggregation isn't supported?
A hub may wish to sign a message that was signed by its publisher. This message might then be sent to another hub that also wanted to sign it, etc... In this case, if the signatures are in the header, who signs what and how do you keep the signatures distinguished from each other?
bob wymanOn Sun, Nov 20, 2011 at 6:20 PM, Jeff Lindsay <prog...@gmail.com> wrote:
Alternatively, many people implementing webhooks (PSHB being one example) use an HTTP header for signing. So far everybody does it differently. I like Magic Signatures, I also like the loosely inspired JWT, but I feel like something that lives in the headers is the Right Way to do this.There is a very rough draft for something that could solve this problem:I've been recommending it to people looking at signing their webhook payloads. It's not exactly usable yet, but I think it's a good thing to think about. Perhaps we can borrow semantics from Magic Signature and put them into Content Signature?
-jeff--On Sun, Nov 20, 2011 at 1:56 PM, Bob Wyman <b...@wyman.us> wrote:Julien suggests that a new mechanism is required to provide secure notification when sending arbitrary content.One useful and simple approach to this problem is provided by the "Magic Signature" method of the Salmon Protocol.If one assumes that the primary concerns for security involve ensuring that data tampering and authorship can be detected, the Magic Signature approach should do the job well. It would not, however, be suitable if the intent is to publish "secret" data.bob wyman
Jeff Lindsay
http://progrium.com
I think two separate needs are being discussed here:
* A subscriber needs a way to determine whether an incoming push
notification did indeed come from the expected hub. In this case it is
the entire message -- possibly *including* the HTTP headers? -- that
needs to be authenticated.
* A publisher is re-publishing something from another source and the
subscriber needs a way to verify that it did indeed come from the other
source. In this case it is the higher-layer messages that need
authenticating, and Salmon Magic Signatures seems like a fine way to do
that but that seems out of scope of PubSubHubbub since it's specific to
the data format being transmitted.
I do agree with Martin that there are two separate things being
discussed, however. One is content validation, and one is source
validation. I've never, personally, seen the benefit in adding the
content-specific validation to PuSH. It's really an external issue.
Validation that the content actually originated from the correct hub
is important, because it's possible for endpoints to be leaked and
abused without it.
On Nov 22, 12:51 pm, Bob Wyman <b...@wyman.us> wrote: