Re: [OAUTH-WG] Signature crypto
John Kemp <john@jkemp.net> Wed, 25 November 2009 19:01 UTC
Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A7F83A6859 for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 11:01:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ly9TFHB0RzyJ for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 11:01:11 -0800 (PST)
Received: from outbound-mail-159.bluehost.com (outbound-mail-159.bluehost.com [67.222.39.39]) by core3.amsl.com (Postfix) with SMTP id 0D1D43A67A2 for <oauth@ietf.org>; Wed, 25 Nov 2009 11:01:11 -0800 (PST)
Received: (qmail 18717 invoked by uid 0); 25 Nov 2009 19:01:06 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by outboundproxy5.bluehost.com with SMTP; 25 Nov 2009 19:01:06 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=hVoOwiDSdTg+jrHF7rh1wuqsjJQ6em8Y0cYuCWxkU5Jur+8lYwNSVa1+I+lvPiyRUYIWvjrqhY+0PbcIhWwmt30alxU8zC4694gMlFVrQ4QK6w/719DwEUSeyFHcNzP4;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.110]) by box320.bluehost.com with esmtpa (Exim 4.69) (envelope-from <john@jkemp.net>) id 1NDN6v-0003Bs-GR; Wed, 25 Nov 2009 12:01:05 -0700
Message-ID: <4B0D7EF0.5010002@jkemp.net>
Date: Wed, 25 Nov 2009 14:01:04 -0500
From: John Kemp <john@jkemp.net>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: "Infinity Linden (Meadhbh Hamrick)" <infinity@lindenlab.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343785183009@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B0D3698.8070706@cs.tcd.ie> <3a880e2c0911250618w358579d9o38b5ad90cb9242af@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4501EE54E2@FIESEXC015.nsn-intra.net> <3a880e2c0911251024g1310d64fld7adf54951433d30@mail.gmail.com>
In-Reply-To: <3a880e2c0911251024g1310d64fld7adf54951433d30@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] Signature crypto
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 19:01:12 -0000
Infinity Linden (Meadhbh Hamrick) wrote: [...] > > so the moral of the story is that if you don't mandate a required > algorithm, you'll get MOSS. And is that, in practice, a problem for anyone? [...] > a. if we don't have a required algorithm somewhere, you will find that > OAuth users will select whatever algorithm set they like. many times, > they will choose algorithms that other people don't use. when they start > to want to interoperate with these people, there will be a mild gnashing > of teeth as the two parties make a pairwise agreement over which > algorithm they'll use. it's not the end of the world, but this sort of > pairwise algorithm negotiation will occur all over the place. > > b. if you put required algorithms in a second RFC, distinct from the > draft defining OAuth mechanisms, you will quickly see someone write an > additional draft with a new set of required algorithms. you'll then have > a mild amount of confusion over which one should be supported, possibly > ending when everyone decides to support both. in this case, you might as > well have defined both as being REQUIRED. > > c. if chaos looms for longer than it takes for a FLOSS developer to > reasonably apply support to PHP, Python/WSGI and Java, then you'll see > whatever algorithm choice that developer makes become the de facto > standard (because it's available everywhere.) if we're unlucky, that > developer will make their algorithm choice based on the 1996 edition of > Applied Crypto which does not have suitable exhortations for developers > to eschew MD5. > > so... it's probably less about it being absolutely necessary to select a > required algorithm for the spec, and more about what kind of chaos can > we live with? Yes, I'd say that might even be roughly the choice but put it in different terms: What kind of interoperability do we want? If an implementation is forced to implement a particular hash algorithm in order to be "compliant" with the specification when it won't in practice use that algorithm, I don't see that as very useful. Either implementors will say their implementation is compliant, or they'll say that their implementation is not OAuth (or RFCXXXX). How does either of those things help anyone? As Hannes noted, if we require a specific hash algorithm then every time we need to change the MTI algorithm(s) we also need to update the specification. In any case, I wouldn't really call it "chaos" just because there are multiple OSS implementations. I hope that people will develop tools that work for them. And I suspect that the most important parts of OAuth to standardize on are a) the protocol itself, b) the HTTP authentication mechanism and c) a method of negotiating the relevant twiddly bits, as necessary (and where it should be noted that "no signature at all" is potentially an acceptable signature algorithm). - johnk
- [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Peter Saint-Andre
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto Hubert Le Van Gong
- Re: [OAUTH-WG] Signature crypto Vrancken Bart bv
- Re: [OAUTH-WG] Signature crypto Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto John Kemp
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Ben Laurie
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Manger, James H
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Paul C. Bryan
- Re: [OAUTH-WG] Signature crypto stephen.farrell
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Richard Barnes
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Richard L. Barnes