IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 30 November 2009 20:28 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B32D3A697E for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 12:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIro-r3KY8xN for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 12:28:38 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 2D9B33A6979 for <oauth@ietf.org>; Mon, 30 Nov 2009 12:28:38 -0800 (PST)
Received: (qmail 22643 invoked from network); 30 Nov 2009 20:28:29 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 30 Nov 2009 20:28:29 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 30 Nov 2009 13:27:22 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, ext Dick Hardt <Dick.Hardt@microsoft.com>
Date: Mon, 30 Nov 2009 13:27:26 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5EuVfSAgAED2ACAAt81AIAAASmAgABrE4CAAH1JAIABBIUAgACcJwCAAAx/gIAa2A2A//97K4CAAA8m8A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com><35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net><daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com><4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de><daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 20:28:39 -0000

OAuth is being proposed as a generally useful method for securing API calls. I expect many open source libraries to implement it on the server side and use it for blog plugins, widgets, and other highly distributed software. If OAuth required the use of TLS, it would simply be ignored by all those applications which will likely continue using Basic.

With all due respect to big companies, their resources, and ability to effortlessly deploy SSL/TLS, it is still an expensive and complex process for more developers deploying small scale server components.

EHL

> -----Original Message-----
> From: Tschofenig, Hannes (NSN - FI/Espoo)
> [mailto:hannes.tschofenig@nsn.com]
> Sent: Monday, November 30, 2009 11:23 AM
> To: ext Dick Hardt; Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: RE: [OAUTH-WG] why are we signing?
> 
> I would also like to hear about the cases where TLS is not suitable.
> 
> Hannes
> 
> >-----Original Message-----
> >From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> >Of ext Dick Hardt
> >Sent: 30 November, 2009 21:18
> >To: Eran Hammer-Lahav
> >Cc: oauth@ietf.org
> >Subject: Re: [OAUTH-WG] why are we signing?
> >
> >
> >On 2009-11-13, at 7:21 AM, Eran Hammer-Lahav wrote:
> >>
> >> I for one, see great value in offering some form of
> >crypto-based security for cases where TLS is not suitable.
> >
> >
> >Are these use cases enumerated somewhere?
> >
> >(Apologies for coming into the conversation late)
> >
> >_______________________________________________
> >OAuth mailing list
> >OAuth@ietf.org
> >https://www.ietf.org/mailman/listinfo/oauth
> >

v2.23.0 | Report a Bug | By Email