Re: [OAUTH-WG] HTTP signing and parameter validation
Justin Richer <jricher@mit.edu> Sun, 28 February 2016 21:45 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F350C1A7D82 for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 13:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsN88wXT9hU5 for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 13:45:15 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2C91A7D85 for <OAuth@ietf.org>; Sun, 28 Feb 2016 13:45:14 -0800 (PST)
X-AuditID: 12074422-f87ff700000071cb-5a-56d36a696d6d
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id FD.96.29131.96A63D65; Sun, 28 Feb 2016 16:45:13 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u1SLjC1k012226; Sun, 28 Feb 2016 16:45:12 -0500
Received: from [10.0.1.8] (ip68-104-118-32.lv.lv.cox.net [68.104.118.32]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1SLj8Tm031275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 28 Feb 2016 16:45:11 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_695BF99B-FC7E-45F2-A58D-6FD4890D7D07"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <004901d17270$c49dbaf0$4dd930d0$@gmail.com>
Date: Sun, 28 Feb 2016 13:45:07 -0800
Message-Id: <6C411BBF-9F01-4EA5-977B-B60517B698BC@mit.edu>
References: <004901d17270$c49dbaf0$4dd930d0$@gmail.com>
To: Brock Allen <brockallen@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgleLIzCtJLcpLzFFi42IR4hTV1s3Muhxm0P2N12LGj6PsFiffvmJz YPLYOesuu8eSJT+ZApiiuGxSUnMyy1KL9O0SuDIOLEkvWGhQMbFvPmMD43nNLkYODgkBE4lX G5m6GLk4hATamCQe7WyCcjYySjS+7meHcI4xScy9NpcJpINZIEHi0kG+LkZODl4BPYlXty6z gtjCArYS3x4tZQOx2QRUJaavaWECsTkFLCS2r13KAmKzAMXvtU5ggxijLjF3ZQTEGCuJBRsP gZUICZhL9D7/BDZGREBNYuH0+cwgtoSArMTu34+YJjDyz0I4YhaSI0BsZgFtiWULXzND2JoS +7uXs2CKa0h0fpvIuoCRbRWjbEpulW5uYmZOcWqybnFyYl5eapGuqV5uZoleakrpJkZQQLO7 KO1gnPjP6xCjAAejEg/vC83LYUKsiWXFlbmHGCU5mJREefvEL4YJ8SXlp1RmJBZnxBeV5qQW H2KU4GBWEuF1twQq501JrKxKLcqHSUlzsCiJ8wZFHgsTEkhPLEnNTk0tSC2CycpwcChJ8GZm AjUKFqWmp1akZeaUIKSZODhBhvMADc8GqeEtLkjMLc5Mh8ifYlSUEudNBUkIgCQySvPgekEJ xyWjTOEVozjQK8K8XiBVPMBkBdf9CmgwE9BgifWXQAaXJCKkpBoYW6+mVOYZ+9n/WhjAN3HD k28cpzcsY7n0R+K/4Yw107l5b53+/l/ZpFNhR+j/tTuqckxC/j+0ecWQy2famxvB87/P++D+ 9Mnr9yxVM1e4a3ejVfr9TJ8fu3YfeWLzwm3N5E2hN18e0eW6rbV6wuWE+w97OQ+cPilkfPu1 ZM6FJ3u1ilplnxmsaFNiKc5INNRiLipOBAAszyoiEwMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/3MBxxHXlBploeKEoV_Y_LOYodYM>
Cc: "<oauth@ietf.org>" <OAuth@ietf.org>
Subject: Re: [OAUTH-WG] HTTP signing and parameter validation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2016 21:45:17 -0000
It’s a bit of both and it’s going to be highly specific to the API being protected. The RS should reject a signed request in which a critical parameter is unsigned — some implementations of OpenID 2.0 were susceptible to exactly this kind of attack a number of years ago. We could probably add more guidance text to describe what the API designers need to communicate to the client and the RS in terms of what’s expected to be covered by the signature. I’m open to suggested text on that point! — Justin > On Feb 28, 2016, at 1:41 PM, Brock Allen <brockallen@gmail.com> wrote: > > Another question related to HTTP signing. > > It’s not clear to me from the RFC if the resource server should be using the incoming pop token JWS to know what to verify, or if the resource server should have a preconceived notion of what should be sent in the pop token. For example, the query params: should the resource server decode the pop token to see what a client included, or should a resource server always know query params “a, b and c” should always be expected. The same goes for any of the params (method, path, body, etc). > > Thanks. > > -Brock > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] HTTP signing and parameter validation Brock Allen
- Re: [OAUTH-WG] HTTP signing and parameter validat… Justin Richer