[OAUTH-WG] Signatures spec proposal, take 2
Dirk Balfanz <balfanz@google.com> Thu, 23 September 2010 22:39 UTC
Return-Path: <balfanz@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C8093A6A59 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 15:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.976
X-Spam-Level:
X-Spam-Status: No, score=-103.976 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5lcm8ODO4hc for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 15:39:03 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id C14433A6852 for <oauth@ietf.org>; Thu, 23 Sep 2010 15:39:02 -0700 (PDT)
Received: from kpbe20.cbf.corp.google.com (kpbe20.cbf.corp.google.com [172.25.105.84]) by smtp-out.google.com with ESMTP id o8NMdVil001556 for <oauth@ietf.org>; Thu, 23 Sep 2010 15:39:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285281572; bh=lwTbLhx8IbJ7jOrCXX3odL4wWeg=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=X2i/0Vt9CHJOhawbGFZq2QicpHx99p0fnnN7uUkyQzVxZx5yFkwlNR/Fmwjwf5upW SyWclotkf/xd0l6Iuyr4Q==
Received: from iwn5 (iwn5.prod.google.com [10.241.68.69]) by kpbe20.cbf.corp.google.com with ESMTP id o8NMbSMX027406 for <oauth@ietf.org>; Thu, 23 Sep 2010 15:39:30 -0700
Received: by iwn5 with SMTP id 5so1979244iwn.5 for <oauth@ietf.org>; Thu, 23 Sep 2010 15:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=tIRAxe/pp7qwro6tg3vnNOGCfpqwxLZ5rPK0+VKdilE=; b=lS+I8CX4HfyxCoPEqbHAb5MFwt0boyw+KO1A1U7ZN+JlYgP0GacgiH/7ppcmpT+FWz hpMAtWjASuu2LWU5jBeA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:date:message-id:subject:from:to:content-type; b=obffNnKb8tLSrRSqcogUnT1PgtePuBLG9GpS3aftyWC/ko6G1wrGkt174tCcrggALl VTkj0Iy/fCuCz9ze24kg==
MIME-Version: 1.0
Received: by 10.231.149.140 with SMTP id t12mr2780263ibv.100.1285281569826; Thu, 23 Sep 2010 15:39:29 -0700 (PDT)
Received: by 10.231.130.9 with HTTP; Thu, 23 Sep 2010 15:39:29 -0700 (PDT)
Date: Thu, 23 Sep 2010 15:39:29 -0700
Message-ID: <AANLkTikR_7uLDx6BaxTYwQJZfjqHDQPwKaA+kOWCsKEc@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00504501416f67e9a60490f4ef3b"
X-System-Of-Record: true
Subject: [OAUTH-WG] Signatures spec proposal, take 2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 22:39:08 -0000
Hi guys, sorry it took a while, but here is an updated proposal. It's still in three parts: Part I is about "JSON Tokens" that can be used for all sorts of things, not just OAuth: http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html Part II is about how to embed an OAuth token and (some parts of) an HTTP request into a JSON Token: http://balfanz.github.com/jsontoken-spec/draft-balfanz-signedoauth2-00.html Part III is how to use signatures instead of client secrets for assertions in OAuth: http://balfanz.github.com/jsontoken-spec/draft-balfanz-clientassertions-00.html Diffs from the last specs are: - JSON Tokens are now just a profile of Magic Signatures, which John Panzer has helpfully extended for this purpose - There was a vulnerability to masquerading attacks in the last proposal, which is addressed in this proposal by adding a data_type parameter that is part of the signature, but _not_ part of the payload. - no more support of X.509 certs - the only supported format for discovered public keys is now the Magic Key format. We'll give people tools (which are quite easy to write) to convert their self-signed or CA-issued certs to magic keys. - The specs are now formatted as I-Ds. Comments, please! Dirk.
- [OAUTH-WG] Signatures spec proposal, take 2 Dirk Balfanz
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Eran Hammer-Lahav
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Dirk Balfanz
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Eran Hammer-Lahav
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Richard L. Barnes
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Dirk Balfanz
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Richard L. Barnes
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Dirk Balfanz
- Re: [OAUTH-WG] Signatures spec proposal, take 2 Eran Hammer-Lahav