HTTP-Signature Auth for Solid?

[bblfish]

HTTP-Signatures is an IETF draft standard that is pretty simple way to authenticate over HTTP using a public key. (Indeed both could work together by simply giving a key in a WebID profile a fragment-identifier based URL)

It could be used with a logic very similar to WebID by passing a WebID along with the signature. It could also work with DID's as I see, follow quite similar logic - as I see DID's try to create a distance between the key publication and the ID. And it could be a good base of Verifiable Claims too.

I wrote up some libraries in Scala Akka-Http-Signature and these could also be compiled to Scala-JS (and so used with JS) with a bit of work. I also wrote code that used this for authentication in a client app rww-scala-js using JavaScrypt Crypto library 4 years ago.

This would be as efficient as WebID-TLS.
The advantage over TLS is that it does not cross HTTP layers, and so should fit very well with HTTP2.0 (SPDY). It does not have the UI support of browsers on the other hand that WebID-TLS has (though that is not so good).

I suppose it would be interesting to check the advantages this would have over other authentication protocols used in SoliD, and to understand where this stands.

[dmitrizagidulin]

While I agree in general (that HTTP-Signatures is a good authentication scheme), this is an access control spec repo, not an authentication spec, so I think this issue is out of scope :) (And should be moved).

Incidentally, like everything, HTTP-Signatures authn is a set of engineering tradeoffs. It requires the management of permanent private keys for the user and the app, and so is more appropriate either for confidential client use cases like server-to-server authentication, or advanced in-browser clients that use the Credential Handler API (which is still in polyfill/incubation stage).