Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
John Panzer <jpanzer@google.com> Fri, 24 September 2010 16:12 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC8643A6BC5 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.927
X-Spam-Level:
X-Spam-Status: No, score=-105.927 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQWgNvvC2yV8 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:12:09 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id C4C8B3A6BB7 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:11:46 -0700 (PDT)
Received: from hpaq3.eem.corp.google.com (hpaq3.eem.corp.google.com [172.25.149.3]) by smtp-out.google.com with ESMTP id o8OGBtZ5010822 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:11:55 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285344715; bh=/qwNxwBhRoWVcaKGdlA9Uh4ioJg=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=vfSdCJftLN95DRSi/zU1qIxcPsMJVvr9El16rXbnCnrRx0tXqkoZ9xom/tWgzyuqb g/n3vV3ILzh0INs8vebFw==
Received: from pvh11 (pvh11.prod.google.com [10.241.210.203]) by hpaq3.eem.corp.google.com with ESMTP id o8OGBq4Y006891 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:11:53 -0700
Received: by pvh11 with SMTP id 11so1036368pvh.18 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:11:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=vSsg9PZvD4KeIczvrCDLXQJbV05mlaa5dUc869hmBjM=; b=lRItlmnfQddgjtSSclOErHQewNzy6gme/uDhfQGhYZsRys7JEXxMyaBnjQO3py7RI5 70WW0nxzs39jNKOw8wtg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=B+AkuyytLfHsPyvpL39UVtQSPAck4yJC3qAcr3J5udgVmQORKD91sHr3z/irw3S6Ge grY5gIawi0tN3x9OxbJw==
Received: by 10.142.141.11 with SMTP id o11mr1349985wfd.54.1285344712167; Fri, 24 Sep 2010 09:11:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Fri, 24 Sep 2010 09:11:32 -0700 (PDT)
In-Reply-To: <BFF19F03-2B06-4C93-8CE0-2C9A6A267CE4@bbn.com>
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <BFF19F03-2B06-4C93-8CE0-2C9A6A267CE4@bbn.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 24 Sep 2010 09:11:32 -0700
Message-ID: <AANLkTimVM7VaU=Y3wyVnT=LMOP1uVtAeHZNCV7DPNr2w@mail.gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: multipart/alternative; boundary="000e0cd17e62fb9360049103a200"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:12:26 -0000
Richard, I'm a bit confused because the made-up example you give below is, essentially, what Magic Signatures does. The algorithm you present is basically the correct one IMHO. Are you assuming that the recipient is _also_ using the HTTP-level method and URL path for some important security decision? (Note: I'm assuming it's fine to use this unverified host/path data for tentative routing to an intended recipient, because the worst thing a MITM attacker can possibly do is to route it to the wrong recipient. As long as the recipient uses only signed information to decide whether it will actually ACCEPT the data, it will be fine. MITM attackers can always mis-route even signed messages of course, given that firewalls etc. are not aware of signatures, so I don't see this as a distinction.) -- John Panzer / Google jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> / @jpanzer On Fri, Sep 24, 2010 at 8:26 AM, Richard L. Barnes <rbarnes@bbn.com> wrote: > Yes, there is certainly a risk if someone just checks the signature and >> does not verify the content of the message. This is a bad implementation >> of an authorization system, to be sure, and it's an issue that people >> need to be aware of. But simply signing metadata doesn't completely >> solve the problem, either. In both cases there can be parameters that >> are outside of the signed request that need to be checked and treated >> appropriately. >> > > Ah, perhaps I was unclear. I didn't mean *signing* metadata, I meant > *sending* metadata. Using a completely made-up syntax: > > 1. Signer computes signature sig_val over data object: > { user_agent: "Mozilla", method: "GET" } > 2. Signer sends { signed_fields: ['user_agent', 'method'], sig: sig_val } > 3. Recipient reconstructs data object using signed_fields > 4. Recipient verifies sig_val == sign(reconstructed_object) > > --Richard > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes