IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Mike Malone <mjmalone@gmail.com> Tue, 01 December 2009 19:01 UTC

Return-Path: <mjmalone@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E5DD28C0E9 for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 11:01:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.562
X-Spam-Level:
X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciDa+53YNJxn for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 11:01:50 -0800 (PST)
Received: from mail-qy0-f203.google.com (mail-qy0-f203.google.com [209.85.221.203]) by core3.amsl.com (Postfix) with ESMTP id DD41D3A6965 for <oauth@ietf.org>; Tue, 1 Dec 2009 11:01:49 -0800 (PST)
Received: by qyk41 with SMTP id 41so2546699qyk.29 for <oauth@ietf.org>; Tue, 01 Dec 2009 11:01:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=hfq7YjoOu3KMCYtae7/jZffjB9Uivj2YoWuSJXbYe6Q=; b=sFCuKK49tN/wz6RYSdft1Ejl4vhkRdIKTC3L4LdCSGj6X77zW8iqhY4zoXL6D32Om9 dFeYzuEMGYSu5OARQDGZ3uqZDn7cybprexbNT7rvBPlKcIoT5ioabPIY+TdpcUw7kaD9 BG5DRN7cUoFlScGxk6oCe/hF5UYTckJA/hmQA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=EPsA33CxHLxQgWSS1OcXRwkJDtmVHOQq/bp0GZlBVlgWMlgTdConKvhgSoa2Qi1jwC q3j0oYMchK3ZJJ+YkOSzYZ3wKDO0RU2YkOUKEN7bJEdOoyCj5GUCnWyy0rm75GnXnYWt SDqIWieK1atO9kpA2+Gj2R8SHZ3V1R+gx4LLw=
MIME-Version: 1.0
Received: by 10.229.29.148 with SMTP id q20mr876078qcc.51.1259694097421; Tue, 01 Dec 2009 11:01:37 -0800 (PST)
In-Reply-To: <cb5f7a380912011034h4d9d92e8u53d2dc4b8978b6ad@mail.gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com> <cb5f7a380912010852j3251199dse8d10da469dafa@mail.gmail.com> <a9d9121c0912011022p746e187fn1ff8240dbcdde096@mail.gmail.com> <cb5f7a380912011034h4d9d92e8u53d2dc4b8978b6ad@mail.gmail.com>
Date: Tue, 01 Dec 2009 11:01:37 -0800
Message-ID: <a9d9121c0912011101v2a68709x60bac31c807df74d@mail.gmail.com>
From: Mike Malone <mjmalone@gmail.com>
To: John Panzer <jpanzer@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 19:01:51 -0000

On Tue, Dec 1, 2009 at 10:34 AM, John Panzer <jpanzer@google.com> wrote:
> On Tue, Dec 1, 2009 at 10:22 AM, Mike Malone <mjmalone@gmail.com> wrote:
>>
>> On Tue, Dec 1, 2009 at 8:52 AM, John Panzer <jpanzer@google.com> wrote:
>> > On Mon, Nov 30, 2009 at 2:32 PM, Mike Malone <mjmalone@gmail.com> wrote:
>> >>
>> >> On Mon, Nov 30, 2009 at 11:17 AM, Dick Hardt <Dick.Hardt@microsoft.com>
>> >> wrote:
>> >> >
>> >> > On 2009-11-13, at 7:21 AM, Eran Hammer-Lahav wrote:
>> >> >>
>> >> >> I for one, see great value in offering some form of crypto-based
>> >> >> security for cases where TLS is not suitable.
>> >> >
>> >> > Are these use cases enumerated somewhere?
>> >>
>> >> I'm not completely opposed to the TLS route, but since you asked...
>> >> off the top of my head, here are a couple drawbacks to using TLS
>> >> instead of signing:
>> >>  - Bigger burden on developers who need to debug this stuff (i.e.,
>> >> you can't sniff your own traffic to debug requests & responses).
>> >>  - Properly setting up TLS can be complicated and expensive. For
>> >> developers who don't have a lot of ops skills the barrier may be too
>> >> high.
>> >>  - You can no longer pass around signed URLs as another level of
>> >> delegation (a use case that I use regularly for making XHR & POST
>> >> requests from the browser). This could be a non-issue if some other
>> >> mechanism for fourth-party delegation existed.
>> >>
>> > Can you elaborate on the above?  For OAuth, signatures (bound to a
>> > particular Consumer Secret that can't be leaked to subcontractors) is a
>> > barrier to multi-level delegation.
>>
>> Right, but you can do poor-man's delegation by signing a URL and
>> passing it off to a third (er, fourth) party to use. I've seen this
>> most often with web apps, where the app (the OAuth Consumer) wants to
>> make a request to the Provider directly from the browser (e.g.,
>> POSTing a large file). They can't sign the URL in javascript without
>> compromising the Consumer Secret, so the the URL is signed server side
>> and passed to the browser for use.
>
> That's the reverse (proxy authorization) -- the client is relying on the
> proxy to do the signing, and the proxy has to figure out based on other
> stuff (browser cookies, magic incantations) whether _its_ client is
> authorized.  This is the OAuth Proxy model.

Yea sort of. It's proxying the signing, but it's not proxying the
actual request.

> I thought you were talking about being able to get user consent for service
> X to do something, but then service X sub-contracts out some of the work to
> service Y, perhaps run by a separate organization.  Y can call-back to X to
> do its work, neatly defeating some of the purpose of sub-contracting work
> out as everything flows through X anyway.  Or X could hand a signed URL to
> Y, but then Y can only deal with what was actually signed, and can't vary
> the parameters, again defeating much of the purpose of subcontracting.
>  Also, isn't there a nonce in there?  So Y can only make one call with that
> URL before returning to the well.

All true. The use case where this becomes incredibly useful (despite
the limitations you mentioned) is for allowing file uploads from the
browser without the Consumer proxying everything. Since OAuth doesn't
sign a multipart/form-data body you can vary that without a problem.
And since the file upload typically takes some time, asking the
Consumer for a signed URL for each request isn't much of a burden.

> It'd be much better to (in an extension!) be able to say "Give me a token
> just like the one I have, but read-only, and only valid for 3 minutes, and
> I'm going to let another service use it" and get a restricted token to hand
> off to a sub-contractor[1].

Yes. I want that.

> In any case, I don't see how signing the URL helps with doing something
> along these lines, and I think if it does anything at all it hurts (because
> of inclusion of things like nonces and timestamps).  Yeah, there are some
> basic use cases for it, like getting access to a read-only feed (capability
> URLs) but those can be accomplished quite as well and more simply with
> bearer tokens IMHO.

Yea, an extension would be nice. I guess what I'm saying is that
whatever we do moving forward should at least keep the basic level of
delegation we have, however naive and broken it is, because it's
useful.

> John
> [1] I am going on strike and refusing to go beyond "third party" as there
> are actually an infinite number of parties and use cases here and I can't
> keep them straight any more.

Thank god.

Mike

v2.23.0 | Report a Bug | By Email