IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

William Mills <wmills_92105@yahoo.com> Wed, 27 February 2013 09:18 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9173221F84C9 for <oauth@ietfa.amsl.com>; Wed, 27 Feb 2013 01:18:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.33
X-Spam-Level:
X-Spam-Status: No, score=-2.33 tagged_above=-999 required=5 tests=[AWL=0.268, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXyNH0NiqlBY for <oauth@ietfa.amsl.com>; Wed, 27 Feb 2013 01:18:55 -0800 (PST)
Received: from nm5-vm1.bullet.mail.ne1.yahoo.com (nm5-vm1.bullet.mail.ne1.yahoo.com [98.138.91.32]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9FB21F8491 for <oauth@ietf.org>; Wed, 27 Feb 2013 01:18:55 -0800 (PST)
Received: from [98.138.90.54] by nm5.bullet.mail.ne1.yahoo.com with NNFMP; 27 Feb 2013 09:18:55 -0000
Received: from [98.138.89.252] by tm7.bullet.mail.ne1.yahoo.com with NNFMP; 27 Feb 2013 09:18:55 -0000
Received: from [127.0.0.1] by omp1044.mail.ne1.yahoo.com with NNFMP; 27 Feb 2013 09:18:55 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 7401.43848.bm@omp1044.mail.ne1.yahoo.com
Received: (qmail 77804 invoked by uid 60001); 27 Feb 2013 09:18:54 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1361956734; bh=N6/wP1/O5is5HBfl3sHIFMrVxAz0t/2uqvqkQrrXhuc=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=QTkTrDw4RoWzSlAzcB+jubU8GcXcZQ8B8eFQz0ihwSHc+ZGXylJdW80faPQWyD+vl/1QRvGXGj74eMYKYhTLgPQuv3i5PjaTRoZxXygS7Fib0FEHEUJHXaVM6kC0cc4zSCU9LIcDWDVCC1zq+LhJ5yOPeSrxnm7tE/h9m3pbU3k=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=WXcKRAjKp+muO5cTOwdNfe6uCrOf70sz9P8ls7PlaQR6ODvnodsY2j5rYtDEqlF0/00Hss0lDjqNEPu8N9ZqwAuskMYTlBgypowYiVMP8CbG+uPksL5mViCK8jQL+GtIIATrrAO3xcUzws7TxqiFXlGauDXEk/7JcCX+uow2fxo=;
X-YMail-OSG: XdtjHh0VM1lJNyxfEJgWKU9JSziyWNRVDxbK7kOR4B07V2u bDDyKl9VwuIrcVZ1dmrVl6eM6tpRWpSAOTVFymoQtV_zNcdbBd7UtWx8aXaT ptLsRaU7faZORmq4_kLUARhk2FquIa_bmjCowhS36HBSEq6mZ529yaxCd3is m7..1bVCUUVNQKrhFW7R58F4sUa8roIpNWCeMv3ZyoQ0XlJKVhdDqZGEc50k zRqoUwGcw29u8YZQ1e7o5zUHe8ZvrYtTvKi5iowe.lC3.iIyF.._GpN.UrRu 2lBacfMsexjWu7a_jNeu8Ku.oit28vQCdRJCSn9lzdBGyh23.fghIoMIdG4a pFlpRRFSnil1JtuyUzAa7Zul3sIHoFcnnHmu9kqsLLrn79WjOiaYvolK1Y5w fEaLhUITSTyu_vXez5_F4X4jjxcaRpVnFul3PakoXpm04o7QNvVWTSD9iTZn 0QRnXtxm3wkTfYJv775hwqOc_WZotrROujnm3LqID3.pRIuxD3u12aQvtQ2B mx_G6dCKTjQ5cVT5s3ds0PJrO4uB47MrDmzcNBNTJ.Q--
Received: from [209.131.62.115] by web31802.mail.mud.yahoo.com via HTTP; Wed, 27 Feb 2013 01:18:54 PST
X-Rocket-MIMEInfo: 001.001, QW5kIGFsc28uLi4KCkhvdyB3b3VsZCB0aGUgc2VydmVyIG1hbmRhdGUgYSBzZXQgb2YgaGVhZGVyIGZpZWxkcyByZXF1aXJpbmcgc2lnbmF0dXJlPyDCoEhvdyBjYW4gdGhlIHNlcnZlciBtYW5kYXRlIGEgc2lnbmF0dXJlIG1ldGhvZCBvciBkbyB3ZSBqdXN0IHN0YXkgd2l0aCB0aGUgdHdvIG9wdGlvbnMgYW5kIGFsbG93IGVpdGhlcj8gwqBJdCBtaWdodCB3YW50IHRvIGVuZm9yY2UgU0EtMjU2PwoKLWJpbGwKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwogRnJvbTogV2lsbGlhbSBNaWxscyABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.135.514
References: <20130225124642.7425.65145.idtracker@ietfa.amsl.com> <1361956373.9883.YahooMailNeo@web31807.mail.mud.yahoo.com>
Message-ID: <1361956734.73841.YahooMailNeo@web31802.mail.mud.yahoo.com>
Date: Wed, 27 Feb 2013 01:18:54 -0800
From: William Mills <wmills_92105@yahoo.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <1361956373.9883.YahooMailNeo@web31807.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1036955950-403965553-1361956734=:73841"
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 09:18:56 -0000

And also...

How would the server mandate a set of header fields requiring signature?  How can the server mandate a signature method or do we just stay with the two options and allow either?  It might want to enforce SA-256?

-bill


________________________________
 From: William Mills <wmills_92105@yahoo.com>
To: "oauth@ietf.org" <oauth@ietf.org>; Hannes Tschofenig <hannes.tschofenig@gmx.net> 
Sent: Wednesday, February 27, 2013 1:12 AM
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
 

Just read the draft quickly.  

Since we're now leaning on JWT do we need to include the token in this?  Why not just make an additional "Envelope MAC" thing and have the signature include the 3 JWT parts in the signature base string?  That object then just becomes a JSON container for the kid, timestamp, signature method, signature etc. That thing then is a 4th base64 encoded JSON thing in the auth header.

How header fields get included in the signature needs definition.

Why did you kill the port number, nonce, and extension parameter out of the signature base string?

The BNF appears to have no separators between values.

-bill



________________________________
 From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
To: i-d-announce@ietf.org 
Cc: oauth@ietf.org 
Sent: Monday, February 25, 2013 4:46 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
 

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of the IETF.

    Title           : OAuth 2.0 Message Authentication Code (MAC) Tokens
    Author(s)       : Justin Richer
                          William Mills
                          Hannes Tschofenig
    Filename        : draft-ietf-oauth-v2-http-mac-03.txt
    Pages           : 26
    Date            : 2013-02-25

Abstract:
   This specification describes how to use MAC Tokens in HTTP requests
   to access OAuth 2.0 protected
 resources.  An OAuth client willing to
   access a protected resource needs to demonstrate possession of a
   crytographic key by using it with a keyed message digest function to
   the request.

   The document also defines a key distribution protocol for obtaining a
   fresh session key.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-03

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-http-mac-03


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email