[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenPGP Signing of HTTP POST

To: ietf-openpgp@xxxxxxxx
Subject: OpenPGP Signing of HTTP POST
From: "Arturo 'Buanzo' Busleiman" <buanzo@xxxxxxxxxxxxx>
Date: Tue, 06 Mar 2007 09:54:45 -0300
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Organization: GNU/Buanzo
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (X11/20061206)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear OpenPGP WG team,

	One day at 3am in the morning I woke up with a mix of two strings in my head: "POST / HTTP/1.1" and
"-----BEGIN PGP SIGNED MESSAGE-----". I woke up my wife, told her about the whole idea, and as I
couldn't go back to sleep, I got up and wrote it down. A couple of months later, and some BIG
thinking, I decided to create a Firefox Extension to implement what I am now going to describe, and
what I want to rewrite into a proper Draft:

For years different methods for User Authentication and Session Management have been implemented:

    * HTTP Authentication
    * Cookies
    * GET/POST values
    * SSL with client certificates
    * A combination of all the above.

Regarding SMTP, e-mail has been digitally signed for a long time now, and it is a standard.
Extending its usage to the HTTP protocol sounded like a natural idea, specially at 3am when I woke
up with a OpenPGP-signed HTTP POST request in my head.

By having the POST payload ("variable=test") signed using an ASCII armored, Clearsign, OpenPGP based
procedure, the browsing user can provide Identity Authentication to that payload, thus adding all
OpenPGP benefits to the HTTP POST request.

This allows web developers to add a new layer of security to their applications, and if correctly
implemented will render man in the middle attacks useless. The direct benefit of implementing this
extension is that web developers will be able to verify the POST payload signature, potentially
avoiding obscure session management, and/or complicated login procedures.

For example, Highly Secure Home Banking sites could be created by using Enigform + some simple
server side code.

For a demo of an Enigform-based login procedure, with using AJAX and FORM SUBMIT, configure your
GnuPG, Install Enigform, then go to: http://enigformdemo.buanzo.com.ar.

Enigform: http://enigform.mozdev.org
Latest Version: 0.6.5

Work-in-progress draft: http://www.buanzo.com.ar/sec/enigform.en.html

Hope you like it!

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Mail Hosting Seguro y Consultoria - http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7WSVAlpOsGhXcE0RAt88AJ0cyBuMS/U0qZjwTZ9DrnE1jxRmUwCfdYqN
+GAVdVxL/NfUvvvdA0RJolc=
=m/4G
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: OpenPGP Signing of HTTP POST
  - From: Francisco Jesus Monserrat Coll
- Re: OpenPGP Signing of HTTP POST
  - From: Daniel A. Nagy

Prev by Date: Re: draft-ietf-openpgp-rfc2440bis-19.txt
Next by Date: Re: OpenPGP Signing of HTTP POST
Previous by thread: draft-ietf-openpgp-rfc2440bis-19.txt
Next by thread: Re: OpenPGP Signing of HTTP POST
Index(es):
- Date
- Thread