Add values of signing to docs #81
Description
What is the problem?
Some clients have raised the questions:
- Hi, technical question about the security model: what true value does the extra encryption provide while https is being used?
- I cannot see any other than detecting that the request to a data product comes from PoT. Which could be handled with other means, eg tokens.
What do you expect to see / happen?
Add below explanation to appropriate spot in API Docs
So in short:
Signing of requests from apps to PoT adds the value of authenticating the request source, and providing security against MITM attacks, and since the signature includes a timestamp it protects to some degree against replay/playback attacks.
Signing of requests from PoT to Translator adds the value of authenticating the request source, you can be sure it's PoT sending the request instead of some malicious actor. Since it's based on a signature and not a token, and the requests contain timestamps, it's less likely that someone will use a MITM attack to capture the request data to steal the token, modify the request payload, and do their own requests.
Signing of responses from Translator to PoT adds the value of proving the data's source, we can reduce the risk of MITM attacks, and there is the additional benefit that the end users of the data can prove with the signature that they bought this data at some given time from a known vendor.