IETF Logo Mail Archive

Re: [oauth] OAuth only for HTTP request signing?

Onyx Raven <onyxraven@gmail.com> Thu, 05 February 2009 21:39 UTC

Return-Path: <onyxraven@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3B3C3A69B7 for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 13:39:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEJg0xJyjsD1 for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 13:39:57 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id BF20E3A6827 for <oauth@ietf.org>; Thu, 5 Feb 2009 13:39:56 -0800 (PST)
Received: by qyk4 with SMTP id 4so744190qyk.13 for <oauth@ietf.org>; Thu, 05 Feb 2009 13:39:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=5S0ErYa3O5TzCwEj6FAQOpHO1ud8LrzUE42QZ21VTn4=; b=VtF58MpiJOh230VhNUJliejia04VdalftQbG7ISw8pIS/yh9qGloJMlOHXVtxbk8HP Vk+FAFwKBB5l1/m6zIyTTgdrjVWbQL7urbiJdQZarC3PvNUb/3EgFBqmNlQYSSQOEcSj wFHU1BqHEdg0x6NFHXTkOnUJ5o6i+JP59XmDk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=uBbsdkid0Kk7hP/FLsMjK0FtgSZNQfivnhIwZtWye+oLSpoj3wrdfW9Z/MWu9yVVz6 YiW6qt+ZVU/5E+9QlGW3scTxRlknq0Ur1Y7Zln0BMVOOe9g1cyrI9L7KCss4akdWyNqi lrhzAZmJuBREmbsOSTuc/BDhTVcwUqmJl3oV8=
MIME-Version: 1.0
Received: by 10.229.110.13 with SMTP id l13mr494544qcp.4.1233869996773; Thu, 05 Feb 2009 13:39:56 -0800 (PST)
In-Reply-To: <c5eeec030902051337l2b3c8419w746989a0a7ee5d63@mail.gmail.com>
References: <c5eeec030902050912o7fab2c2la5b3af7835605f0b@mail.gmail.com> <C5B08727.122A7%eran@hueniverse.com> <1d7d37050902051252h3eb088a9rc48758a99825372@mail.gmail.com> <CAF39496-4B6A-48C7-B489-77DD146EFEB8@jkemp.net> <c5eeec030902051337l2b3c8419w746989a0a7ee5d63@mail.gmail.com>
Date: Thu, 05 Feb 2009 14:39:56 -0700
Message-ID: <c5eeec030902051339y268113a6ofc7bdd2d57aabdcd@mail.gmail.com>
From: Onyx Raven <onyxraven@gmail.com>
To: John Kemp <john@jkemp.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAuth only for HTTP request signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2009 21:39:57 -0000

Sorry, I got ahead of myself about the signature/signing -
METHOD&RESOURCE&PARAMETERS, hashed with one of the accepted methods
(RSA-SHA1, HMAC-SHA1, PLAINTEXT).

On Thu, Feb 5, 2009 at 2:37 PM, Onyx Raven <onyxraven@gmail.com> wrote:
> So, thats what I was trying to get at.  I agree that the excepted
> token consumer-request -> sp-auth -> consumer-access process should be
> HTTP based as it is defined now.  It was really more about the
> consumer -> sp request signing (with delegated access), which like
> below, could be XMPP, IRC, proprietary game protocols, etc.  At a
> basic level, signature signing is defined as
> METHOD&RESOURCE&PARAMETERS (where parameters are key/value pairs
> structured in www-form-urlencoded style).
>
> But like I said before, as long as the core standard has acceptable
> wording for other consumer -> sp request protocols to hook into, thats
> what matters there.  I just wanted to be sure we didn't get locked
> into something we might want alternatives to in the future.
>
> On Thu, Feb 5, 2009 at 2:21 PM, John Kemp <john@jkemp.net> wrote:
>> On Feb 5, 2009, at 3:52 PM, Seth Fitzsimmons wrote:
>>
>>>
>>> XMPP (XEP-0235) assumes that tokens are exchanged out of band, leaving
>>> that mechanism in HTTP.
>>
>> Right. The point being that there are at least two potentially-independent
>> parts to OAuth - a set of signature mechanisms (RSA-SHA1, HMAC-SHA1,
>> PLAINTEXT), and an HTTP-based protocol for token exchange.
>>
>> [...]
>>
>>>
>>> To me, the most useful aspect of OAuth when applied to other protocols
>>> is a clearly defined way to generate signatures given constituent
>>> components.
>>
>> I think it's certainly reasonable to suggest that the signature mechanisms
>> be defined so as to be useful in contexts other than HTTP. Which apparently
>> already worked well-enough for XMPP with OAuth 1.0.
>>
>> - johnk
>>
>

v2.46.0 | Report a Bug | By Email | System Status