Re: [OAUTH-WG] MAC: body-hash
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 24 November 2011 17:17 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F175E21F8C2F for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2011 09:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Level:
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqgfjJVydoBS for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2011 09:17:22 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 19A3B21F8C2A for <oauth@ietf.org>; Thu, 24 Nov 2011 09:17:21 -0800 (PST)
Received: (qmail 17044 invoked from network); 24 Nov 2011 17:17:19 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.46) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 24 Nov 2011 17:17:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Thu, 24 Nov 2011 10:17:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Peter Wolanin <peter.wolanin@acquia.com>
Date: Thu, 24 Nov 2011 10:17:07 -0700
Thread-Topic: [OAUTH-WG] MAC: body-hash
Thread-Index: AcyqqVjy3uUCYK8nSSC+rfSrgUrRVgAInRZQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735F32A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAH0thKCUN9+Q47ZkGPzvfk81S0yUXxzxD8XURJP=p-ZBvOJ6pw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAH0thKAnBDr23DpPdONUiGekkNrd52AXUcBTjHDWQJky47T6fw@mail.gmail.com>
In-Reply-To: <CAH0thKAnBDr23DpPdONUiGekkNrd52AXUcBTjHDWQJky47T6fw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC: body-hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2011 17:17:23 -0000
That like trying to eat the cake and have it too. We dropped the body-hash parameter because it doesn't work. There are too many complications in getting an interop solution across platforms and body types. There are ASCII, UTF8, binary, etc. bodies and they will all produce different hash value based on at what level the client hashes them. In addition, the HTTP layer can do many things to the data including encoding. On top of that, you have HTTP headers that change the meaning of the payload. We've tried it and could not come up with any reasonable solution. As someone who have and wants to implement this, I understand the need for it, but at this point within the limitations of HTTP, this belongs as a vendor specific extension until more real-world experience is gained. EHL > -----Original Message----- > From: Peter Wolanin [mailto:peter.wolanin@acquia.com] > Sent: Thursday, November 24, 2011 5:03 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] MAC: body-hash > > I'd lobby for something more than just prose, since for me, including the > body or body hash in the HMAC is a pretty essential piece of security for any > real implementation. I understand that you think it should not be 100% > required by all servers, and hence should not be a specified field, but then I > think it should be something like a "standard" extension. > > For example, retain some of the existing text describing the bodyhash as > using the same algorithm as the HMAC and show an example like: > > ext="bodyhash:k9kbtCIy0CkI3/FEfpS/oIDjk6k=" > > Are there any other specific things you see as common examples of ext > values? Is there a suggested system for indicating or separating multiple ext > values? > > It seems to me without a standardized way to include the body hash in the > ext field, you immediately invite more diversity in implementations. It would > also seem by putting it in the ext field, any client could include the hash even > if the server doesn't require it? > > Best, > > Peter > > On Thu, Nov 24, 2011 at 12:21 AM, Eran Hammer-Lahav > <eran@hueniverse.com> wrote: > > In prose, sure. But I'd rather not go further than that. > > > > EHL > > > >> -----Original Message----- > >> From: Peter Wolanin [mailto:peter.wolanin@acquia.com] > >> Sent: Wednesday, November 23, 2011 11:53 AM > >> To: Eran Hammer-Lahav > >> Cc: OAuth WG > >> Subject: Re: [OAUTH-WG] MAC: body-hash > >> > >> As long as a specific service can make an ext containing the body > >> hash required, I think this is fine. Can the spec include body hash > >> as an example of an ext? > >> > >> Thanks, > >> > >> Peter > >> > >> On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav > >> <eran@hueniverse.com> wrote: > >> > I want to reaffirm our previous consensus to drop the body-hash > >> > parameter and leave the ext parameter. Body-hash as currently > >> > specified is going to cause significant interop issues due to > >> > character (and other) encoding issues. Providers who desire to MAC > >> > the body can define their own ext use case. > >> > > >> > > >> > > >> > Let me know if you have an objection to this change. > >> > > >> > > >> > > >> > EHL > >> > > >> > > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > > >> > >> > >> > >> -- > >> Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > >> peter.wolanin@acquia.com : 781-313-8322 > >> > >> "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" > > > > -- > Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > peter.wolanin@acquia.com : 781-313-8322 > > "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"
- [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: body-hash William Mills
- Re: [OAUTH-WG] MAC: body-hash Phil Hunt
- Re: [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: body-hash Peter Wolanin
- Re: [OAUTH-WG] MAC: body-hash Peter Wolanin
- Re: [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav