Last update: Wed, Jul 27, 2011 at 9:27 AM.
Feedback on the SLIde proposal
  • I've sent links to the SLIde proposal to a number of people whose opinions I respect, asking them to review and comment.
  • I've been blown away by the response. Much much better than what you get when you put a proposal out there publicly. This is the way I want to do it for all half-baked ideas in the future. :-)
  • Here's a summary of what's come back, with my comments.
  • 1. Unix timestamp format. Several people recommended using this instead of RFC822 format. The argument in favor of RFC822 is that it's just as broadly supported as any other time format, is human-readable as well as machine-readable. But I could easily give on this one, and likely will.
    • Argument in favor of SSL -- it prevents spoofed responses. Imagine you wanted access to someone's account. Hack a router between the two servers. Return "yes" when a request comes in for the user whose account you want access to.
  • 3. Include a version number somewhere in the protocol. Good idea. Two choices. Could make the requests go to /v1 /v2 etc. Or include the version number as a string. I'd make it optional for version 1, in case there is no version 2.
  • 4. It was pointed out that there is a 5-minute window for replay attacks. This could be prevented by not allowing any timestamp to be used twice. This means that you could do no more than one validation per account per second. Does not seem like an important limit, and I am inclined to include this in the proposal.
  • 5. "Security geeks will respect the hash a lot more if it uses Bcrypt instead of SHA-1, since SHA-1 can be brute-forced so quickly on programmable GPUs."
  • 6. "You shouldn't use a user password directly as the HMAC key, because the entropy of a password is not that of a secret key, which means you're using HMAC in a way that doesn't fit its specification."
  • 7. "Why does signature have to be base64 encoded if it's going to be url encoded?"
  • Any feedback not included here has been read by me and is being thought-about. :-)
  • Further comments can be sent to dave dot winer at gmail dot com. I would be happy to start a mail list if people felt that was a good way to continue. Happy to take notes on privately-sent feedback.
  • Also, I have included all your names in the reviewer's section. If you'd rather not have your name there, just say the word. I did not include names here where I quoted feedback.