[OAUTH-WG] MAC - body hash and response body hash and cache-control headers
Peter Wolanin <peter.wolanin@acquia.com> Sat, 18 February 2012 20:53 UTC
Return-Path: <peter.wolanin@acquia.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD1E21E8025 for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 12:53:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tlY1x8bufCQ for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 12:53:20 -0800 (PST)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by ietfa.amsl.com (Postfix) with SMTP id 9A62621E8026 for <OAuth@ietf.org>; Sat, 18 Feb 2012 12:53:20 -0800 (PST)
Received: from mail-iy0-f174.google.com ([209.85.210.174]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKT0APv0CTFvAUNaqcv6BQqf2x2ZKaMv+6@postini.com; Sat, 18 Feb 2012 12:53:20 PST
Received: by iacb35 with SMTP id b35so5871659iac.19 for <OAuth@ietf.org>; Sat, 18 Feb 2012 12:53:19 -0800 (PST)
Received-SPF: pass (google.com: domain of peter.wolanin@acquia.com designates 10.50.203.66 as permitted sender) client-ip=10.50.203.66;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of peter.wolanin@acquia.com designates 10.50.203.66 as permitted sender) smtp.mail=peter.wolanin@acquia.com
Received: from mr.google.com ([10.50.203.66]) by 10.50.203.66 with SMTP id ko2mr4389675igc.7.1329598399294 (num_hops = 1); Sat, 18 Feb 2012 12:53:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.203.66 with SMTP id ko2mr3561868igc.7.1329598399216; Sat, 18 Feb 2012 12:53:19 -0800 (PST)
Received: by 10.231.20.12 with HTTP; Sat, 18 Feb 2012 12:53:19 -0800 (PST)
Date: Sat, 18 Feb 2012 15:53:19 -0500
Message-ID: <CAH0thKDXpSCNutS88dkJ4i9rutpdu-UYHip1SDk+UriRdM+MEw@mail.gmail.com>
From: Peter Wolanin <peter.wolanin@acquia.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQkVKqop6HM4qTqCc5+Zzy2DAuKDH80FRkeWbd0kWjA7/AnR/KMiQoH5RNLqApYAoi+hUgMm
Cc: "OAuth@ietf.org" <OAuth@ietf.org>
Subject: [OAUTH-WG] MAC - body hash and response body hash and cache-control headers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2012 20:53:21 -0000
Dear Eran, I'm still hoping you will consider adding back the MAC spec a requirement for a body hash covered by the MAC. I still also feel that the lack of a hash covered by the MAC that protects the value of the response and response body makes this proposed spec quite a bit weaker than it should ideally be. You mentioned in arguing that there can be operational issues with verifying the body hash that intermediaries may transform the body. However, the HTTP 1.1 spec at least includes a header that seems designed specifically to mitigate at least the concerns about transformation of the body: Cache-Control: no-transform http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5 This header should be respected by well-behaved proxies. e.g. see: http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/#sec-request-no-transform It would seem that by including this header in the Oauth2 MAC spec for the request and the response there should not be operational issues with verifying a hash of the content? Thanks, Peter On Wed, Feb 8, 2012 at 5:59 PM, Eran Hammer <eran@hueniverse.com> wrote: > New draft: > > > > http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 > > > > EH > >
- [OAUTH-WG] MAC - body hash and response body hash… Peter Wolanin