IETF Logo Mail Archive

Re: [OAUTH-WG] Signatures, Why?

Eve Maler <eve@xmlgrrl.com> Fri, 12 March 2010 22:09 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 634C33A68CD for <oauth@core3.amsl.com>; Fri, 12 Mar 2010 14:09:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.018
X-Spam-Level: **
X-Spam-Status: No, score=2.018 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FROM_DOMAIN_NOVOWEL=0.5, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, HOST_MISMATCH_NET=0.311, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7i4PpdTxLaI for <oauth@core3.amsl.com>; Fri, 12 Mar 2010 14:09:23 -0800 (PST)
Received: from mail.promanage-inc.com (static-98-111-84-13.sttlwa.fios.verizon.net [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 23E213A68A9 for <oauth@ietf.org>; Fri, 12 Mar 2010 14:09:23 -0800 (PST)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id o2CM9MVB021754 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 12 Mar 2010 14:09:23 -0800
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <daf5b9571003121106s2d18e486t741d4af8d21ea2e@mail.gmail.com>
Date: Fri, 12 Mar 2010 14:09:22 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <750B0A26-1A2E-4EF6-9151-2BC8DED4FE50@xmlgrrl.com>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im> <4B99D783.1090905@lodderstedt.net> <B1DB9DB1-74F9-4E6C-83C3-22DB27648B92@xmlgrrl.com> <daf5b9571003121106s2d18e486t741d4af8d21ea2e@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2010 22:09:24 -0000

Agreed that token signing is separate from message signing as a proposition.  I just happened to stick all of our "signing" conversations into one bucket of notes...  Sorry that was confusing.

	Eve

On 12 Mar 2010, at 11:06 AM, Brian Eaton wrote:

> On Fri, Mar 12, 2010 at 10:22 AM, Eve Maler <eve@xmlgrrl.com> wrote:
>> It was observed that the argument in the OAuth community about token size
>> seems to be related to token signing, thusly: those who are willing to
>> require the Authorization Server to be stateless need large meaningful
>> tokens and want them signed; those who can use a stateful Authorization
>> Server can use small opaque tokens that don't need signing.
> 
> This seems orthogonal.  The confusion in this working group has not,
> for the most part, been about whether access tokens should be signed.
> 
> The debate has been more about whether clients need to use signatures
> when requesting access tokens, or when using access tokens.  On one
> side there are people who would prefer bearer tokens, and on the other
> side there are folks who want crypto in various bits of the protocol
> to meet different use cases.
> 
> Cheers,
> Brian


Eve Maler
eve@xmlgrrl.com
http://www.xmlgrrl.com/blog

v2.23.0 | Report a Bug | By Email