IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Peter Saint-Andre <stpeter@stpeter.im> Wed, 02 December 2009 02:58 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B19B3A67C0 for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 18:58:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEz6R3Nuralp for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 18:58:20 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 2C3A53A6405 for <oauth@ietf.org>; Tue, 1 Dec 2009 18:58:20 -0800 (PST)
Received: from squire.local (dsl-205-34.dynamic-dsl.frii.net [216.17.205.34]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id BA21840D16; Tue, 1 Dec 2009 19:58:11 -0700 (MST)
Message-ID: <4B15D7C2.2070901@stpeter.im>
Date: Tue, 01 Dec 2009 19:58:10 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com><35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net><daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com><4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de><daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms000904020101050902040104"
Cc: ext Dick Hardt <Dick.Hardt@microsoft.com>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 02:58:21 -0000

<hat type='individual'/>

On 11/30/09 1:27 PM, Eran Hammer-Lahav wrote:
> OAuth is being proposed as a generally useful method for securing API
> calls. I expect many open source libraries to implement it on the
> server side and use it for blog plugins, widgets, and other highly
> distributed software. If OAuth required the use of TLS, it would
> simply be ignored by all those applications which will likely
> continue using Basic.
> 
> With all due respect to big companies, their resources, and ability
> to effortlessly deploy SSL/TLS, it is still an expensive and complex
> process for more developers deploying small scale server components.

With all due respect, I think it can be harder for big companies to
deploy TLS -- they have a lot more users, need more hardware (special
SSL accelerators and the like), have more layers of employees (so it can
be more difficult to find the person who controls the hostmaster or
whois-listed email address), etc.

Getting a Class 1 cert from the likes of StartSSL is easy as pie these
days. IMHO there is no excuse for not deploying SSL if you care one whit
about security. The problem is that too many small-scale developers (and
big companies!) simply don't care.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email