dinkel escribió:I did some thinking of how I liked to get the signed requests arrive at my server and I found out that the best would be if simply everything (request line, headers and body) would be signed as it would give me the best certainty that nothing would have been changed.
As you realize later, I can't guarantee nothing regarding request-modification. So far, taking into account the request_line, and get/post body, and maybe a couple of headers would be OK... there are also another issues that are out of my control, like transparent proxies that add/remove/modify headers, etc... that means the LEAST number of signed fields, might be the better.
dinkel escribió:My tests with WEBrick (http server written in Ruby) showed that the headers are put in a hash table and the order when iterating over it is random. So I guess this is one reason you needed to have the 'X-OpenPGP-Sig-Fields:' header.
You're quite right. My original discussions with the OpenPGP Working Group at the IETF presented those kind of situations.
dinkel escribió:This however imposes that a server app possibly needs to deal with positively verified requests that has other 'X-OpenPGP-Sig-Fields:' being signed and verified, meaning that the server app can't only parse the 'X-Auth-OpenPGP' for authorization, which is in my opinion unnecessarily complicated.
Certainly. The least the web-application needs to worry with 'sessions', 'authentication' and such, the better.
Another problem I see: If a man-in-the-middle intecepts a request from a client asking to get the bank account summary, the request. it will be the same every time, so the interceptor can send the same request again and get the information. To avoid this behaviour, there needs to be some challenge response mechanism. I don't know yet what could be an appropriate way to do.
Run signed requests over SSL, or wait until Enigform/mod_auth_openpgp support OpenPGP encryption/decryption.
dinkel escribió:Let me know if I can do something for the project. I will hack around with WEBrick in the meantime.
You are already doing something