Skip to content

Commit

Permalink
Script updating archive at 2024-10-29T01:07:05Z. [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
ID Bot committed Oct 29, 2024
1 parent ef0e9f6 commit 740ab2a
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion archive.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"magic": "E!vIA5L86J2I",
"timestamp": "2024-10-27T01:10:36.217185+00:00",
"timestamp": "2024-10-29T01:07:03.465118+00:00",
"repo": "richsalz/draft-rsalz-httpapi-privacy",
"labels": [
{
Expand Down Expand Up @@ -176,6 +176,22 @@
"updatedAt": "2024-09-05T00:03:23Z",
"closedAt": null,
"comments": []
},
{
"number": 8,
"id": "I_kwDOMPAWUs6cHruY",
"title": "Revoking signature-based authentication",
"url": "https://github.com/richsalz/draft-rsalz-httpapi-privacy/issues/8",
"state": "OPEN",
"author": "Acconut",
"authorAssociation": "COLLABORATOR",
"assignees": [],
"labels": [],
"body": "The draft recommends revoking credentials if they are received over an insecure channel. This makes sense for requests which directly include an API key, for example as a Bearer token, because an eavesdropper can directly see and abuse the API key.\r\n\r\nAnother common form for API authentication is using an authentication pair consisting of a pair ID for identifying the user and a secret, which is only known to the service provider and the user. An authenticated request then includes the pair ID and a signature generated with a HMAC and the secret. The request does not directly include the secret. [AWS uses this approach](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html), for example.\r\n\r\nIf an attacker eavesdrops on such a request, they obtain knowledge about the pair ID, but not the secret. While leaking the pair ID may not be ideal, obtaining the ID and signature does not allow an attacker to abuse the authentication pair and forge signatures. Should in these cases the authentication pair still be revoked? Should the draft distinguish between requests that directly include the secret credentials and those which include signatures?",
"createdAt": "2024-10-28T18:51:17Z",
"updatedAt": "2024-10-28T18:51:18Z",
"closedAt": null,
"comments": []
}
],
"pulls": [
Expand Down

0 comments on commit 740ab2a

Please sign in to comment.