Return-Path: <balfanz@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
 with ESMTP id 8C8093A6A59 for <oauth@core3.amsl.com>;
 Thu, 23 Sep 2010 15:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.976
X-Spam-Level: 
X-Spam-Status: No, score=-103.976 tagged_above=-999 required=5 tests=[AWL=2.000,
 BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5lcm8ODO4hc for
 <oauth@core3.amsl.com>; Thu, 23 Sep 2010 15:39:03 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by
 core3.amsl.com (Postfix) with ESMTP id C14433A6852 for <oauth@ietf.org>;
 Thu, 23 Sep 2010 15:39:02 -0700 (PDT)
Received: from kpbe20.cbf.corp.google.com (kpbe20.cbf.corp.google.com
 [172.25.105.84]) by smtp-out.google.com with ESMTP id o8NMdVil001556 for
 <oauth@ietf.org>; Thu, 23 Sep 2010 15:39:31 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta;
 t=1285281572; bh=lwTbLhx8IbJ7jOrCXX3odL4wWeg=;
 h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type;
 b=X2i/0Vt9CHJOhawbGFZq2QicpHx99p0fnnN7uUkyQzVxZx5yFkwlNR/Fmwjwf5upW
 SyWclotkf/xd0l6Iuyr4Q==
Received: from iwn5 (iwn5.prod.google.com [10.241.68.69]) by
 kpbe20.cbf.corp.google.com with ESMTP id o8NMbSMX027406 for <oauth@ietf.org>;
 Thu, 23 Sep 2010 15:39:30 -0700
Received: by iwn5 with SMTP id 5so1979244iwn.5 for <oauth@ietf.org>;
 Thu, 23 Sep 2010 15:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta;
 h=domainkey-signature:mime-version:received:received:date:message-id
 :subject:from:to:content-type; bh=tIRAxe/pp7qwro6tg3vnNOGCfpqwxLZ5rPK0+VKdilE=;
 b=lS+I8CX4HfyxCoPEqbHAb5MFwt0boyw+KO1A1U7ZN+JlYgP0GacgiH/7ppcmpT+FWz
 hpMAtWjASuu2LWU5jBeA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta;
 h=mime-version:date:message-id:subject:from:to:content-type;
 b=obffNnKb8tLSrRSqcogUnT1PgtePuBLG9GpS3aftyWC/ko6G1wrGkt174tCcrggALl
 VTkj0Iy/fCuCz9ze24kg==
MIME-Version: 1.0
Received: by 10.231.149.140 with SMTP id t12mr2780263ibv.100.1285281569826;
 Thu, 23 Sep 2010 15:39:29 -0700 (PDT)
Received: by 10.231.130.9 with HTTP; Thu, 23 Sep 2010 15:39:29 -0700 (PDT)
Date: Thu, 23 Sep 2010 15:39:29 -0700
Message-ID: <AANLkTikR_7uLDx6BaxTYwQJZfjqHDQPwKaA+kOWCsKEc@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=00504501416f67e9a60490f4ef3b
X-System-Of-Record: true
Subject: [OAUTH-WG] Signatures spec proposal, take 2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 22:39:08 -0000

--00504501416f67e9a60490f4ef3b
Content-Type: text/plain; charset=ISO-8859-1

Hi guys,

sorry it took a while, but here is an updated proposal. It's still in three
parts:

Part I is about "JSON Tokens" that can be used for all sorts of things, not
just OAuth:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html

Part II is about how to embed an OAuth token and (some parts of) an HTTP
request into a JSON Token:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-signedoauth2-00.html

Part III is how to use signatures instead of client secrets for assertions
in OAuth:
http://balfanz.github.com/jsontoken-spec/draft-balfanz-clientassertions-00.html

Diffs from the last specs are:

- JSON Tokens are now just a profile of Magic Signatures, which John Panzer
has helpfully extended for this purpose
- There was a vulnerability to masquerading attacks in the last proposal,
which is addressed in this proposal by adding a data_type parameter that is
part of the signature, but _not_ part of the payload.
- no more support of X.509 certs - the only supported format for discovered
public keys is now the Magic Key format. We'll give people tools (which are
quite easy to write) to convert their self-signed or CA-issued certs to
magic keys.
- The specs are now formatted as I-Ds.

Comments, please!

Dirk.

--00504501416f67e9a60490f4ef3b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi guys,=A0<div><br></div><div>sorry it took a while, but here is an update=
d proposal. It&#39;s still in three parts:</div><div><br></div><div>Part I =
is about &quot;JSON Tokens&quot; that can be used for all sorts of things, =
not just OAuth:</div>
<div><span class=3D"Apple-style-span" style=3D"font-family: arial, sans-ser=
if; font-size: 13px; border-collapse: collapse; "><div><a href=3D"http://ba=
lfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html" target=3D"=
_blank" style=3D"color: rgb(119, 153, 187); ">http://balfanz.github.com/jso=
ntoken-spec/draft-balfanz-jsontoken-00.html</a></div>
<div class=3D"im" style=3D"color: rgb(80, 0, 80); "><div><br></div><font cl=
ass=3D"Apple-style-span" color=3D"#000000" face=3D"arial"><span class=3D"Ap=
ple-style-span" style=3D"border-collapse: separate; font-size: small;">Part=
 II is about how to embed an OAuth token and (some parts of) an HTTP reques=
t into a JSON Token:</span></font><div>
<a href=3D"http://balfanz.github.com/jsontoken-spec/draft-balfanz-signedoau=
th2-00.html" target=3D"_blank" style=3D"color: rgb(119, 153, 187); ">http:/=
/balfanz.github.com/jsontoken-spec/draft-balfanz-signedoauth2-00.html</a></=
div>
<div><br></div><font class=3D"Apple-style-span" color=3D"#000000" face=3D"a=
rial"><span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-size: small;">Part III is how to use signatures instead of client secr=
ets for assertions in OAuth:</span></font></div>
<div><a href=3D"http://balfanz.github.com/jsontoken-spec/draft-balfanz-clie=
ntassertions-00.html" target=3D"_blank" style=3D"color: rgb(119, 153, 187);=
 ">http://balfanz.github.com/jsontoken-spec/draft-balfanz-clientassertions-=
00.html</a></div>
<div><br></div><div>Diffs from the last specs are:</div><div><br></div><div=
>- JSON Tokens are now just a profile of Magic Signatures, which John Panze=
r has helpfully extended for this purpose</div><div>- There was a vulnerabi=
lity to masquerading attacks in the last proposal, which is addressed in th=
is proposal by adding a data_type parameter that is part of the signature, =
but _not_ part of the payload.</div>
<div>- no more support of X.509 certs - the only supported format for disco=
vered public keys is now the Magic Key format. We&#39;ll give people tools =
(which are quite easy to write) to convert their self-signed or CA-issued c=
erts to magic keys.</div>
<div>- The specs are now formatted as I-Ds.</div><div><br></div><div>Commen=
ts, please!</div><div><br></div><div>Dirk.</div><div><br></div></span></div=
>

--00504501416f67e9a60490f4ef3b--