IETF Logo Mail Archive

Re: [OAUTH-WG] Signatures spec proposal, take 2

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 24 September 2010 02:33 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20DED3A685B for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SB9q47e-VSQL for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:32:08 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A90133A68A8 for <oauth@ietf.org>; Thu, 23 Sep 2010 19:32:08 -0700 (PDT)
Received: (qmail 6608 invoked from network); 24 Sep 2010 02:32:38 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 24 Sep 2010 02:32:38 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 23 Sep 2010 19:32:38 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dirk Balfanz <balfanz@google.com>
Date: Thu, 23 Sep 2010 19:32:35 -0700
Thread-Topic: [OAUTH-WG] Signatures spec proposal, take 2
Thread-Index: ActbjUFxlbwuqt/QQ56Hz69ivw+8/gAA32sl
Message-ID: <C8C15BD3.3AC6C%eran@hueniverse.com>
In-Reply-To: <AANLkTinM0J5mt1cm7O745-Fu7BbiuXVLVWt3nO08Oy73@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8C15BD33AC6Ceranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures spec proposal, take 2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 02:33:04 -0000

First, thanks for putting this together. It provides a pretty comprehensive story about the signed tokens proposal. I don't have much to add at this point to the drafts.

My position, which I have expressed many times before about this approach is:

Any solution involving repeating the HTTP request elements in some sort of envelope will require validation .In this case, you need to define all the rules for validating the 'audience' parameter.

This approach makes it too tempting for server developers to ignore the HTTP request and only use the values of the 'audience' and 'method' parameters. In order to validate those parameters, the server needs to perform some sort of normalization (which eventually leads to the same signature mismatch problems). Not looking at the HTTP request will lead to security problems because it will allow bypassing existing HTTP firewall rules which operate on the request URI and HTTP method.

As a matter of personal taste, this smells too much like SOAP. And that's a really bad thing.

I am not in favor of any solution that replicates components of the HTTP request within the request (as is the case here). Recent experience shows that with a little help and good libraries, developers can figure out how to normalize and sign an HTTP request successfully, when motivated.

EHL


On 9/23/10 7:07 PM, "Dirk Balfanz" <balfanz@google.com> wrote:



On Thu, Sep 23, 2010 at 6:51 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
In part II, how is the signature bound to the HTTP request URI? I see the method and body, but not the request URI.

The request URI goes in the audience parameter that's defined in part I.

Dirk.


EHL



On 9/23/10 3:39 PM, "Dirk Balfanz" <balfanz@google.com <http://balfanz@google.com> > wrote:

Hi guys,

sorry it took a while, but here is an updated proposal. It's still in three parts:

Part I is about "JSON Tokens" that can be used for all sorts of things, not just OAuth:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html

Part II is about how to embed an OAuth token and (some parts of) an HTTP request into a JSON Token:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-signedoauth2-00.html

Part III is how to use signatures instead of client secrets for assertions in OAuth:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-clientassertions-00.html

Diffs from the last specs are:

- JSON Tokens are now just a profile of Magic Signatures, which John Panzer has helpfully extended for this purpose
- There was a vulnerability to masquerading attacks in the last proposal, which is addressed in this proposal by adding a data_type parameter that is part of the signature, but _not_ part of the payload.
- no more support of X.509 certs - the only supported format for discovered public keys is now the Magic Key format. We'll give people tools (which are quite easy to write) to convert their self-signed or CA-issued certs to magic keys.
- The specs are now formatted as I-Ds.

Comments, please!

Dirk.

v2.23.0 | Report a Bug | By Email