IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

John Panzer <jpanzer@google.com> Thu, 12 November 2009 15:45 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 97E5E3A6A2D for <oauth@core3.amsl.com>; Thu, 12 Nov 2009 07:45:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTiBkxKfAUmD for <oauth@core3.amsl.com>; Thu, 12 Nov 2009 07:45:17 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 6C7353A6A19 for <oauth@ietf.org>; Thu, 12 Nov 2009 07:45:17 -0800 (PST)
Received: from spaceape12.eur.corp.google.com (spaceape12.eur.corp.google.com [172.28.16.146]) by smtp-out.google.com with ESMTP id nACFjjN3014637 for <oauth@ietf.org>; Thu, 12 Nov 2009 15:45:45 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1258040745; bh=H7m93w60xgly9MuiLN8mC9H/Cjk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=a5G9WBdFwFMg3agfrPn2mgGe0loJI+vlO8GnVoZpmuhowieezStHk5Kkj5RnCB+kq gDqiaXAN+wxHhO4zyru2g==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=M/yq9iFX3+BbJX+zrq5QFTv4mAdqVD++zhcQS/Y44dD7LHKyN7Yg6xZYGkw6BiOQP av+OatGBReydwkzz+NyPw==
Received: from pwi15 (pwi15.prod.google.com [10.241.219.15]) by spaceape12.eur.corp.google.com with ESMTP id nACFjTnE001340 for <oauth@ietf.org>; Thu, 12 Nov 2009 07:45:42 -0800
Received: by pwi15 with SMTP id 15so1453730pwi.24 for <oauth@ietf.org>; Thu, 12 Nov 2009 07:45:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.115.102.18 with SMTP id e18mr6261611wam.174.1258040740495; Thu, 12 Nov 2009 07:45:40 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net> <daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com> <4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de> <daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 12 Nov 2009 07:45:40 -0800
Message-ID: <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 15:45:18 -0000

I think that https plus bearer token is sufficient for 90% of use
cases.  I haven't heard a first principles argument otherwise.  If for
no other reason than the record, could the proponents of signing
explain why bearer token over TLS will not meet their needs?

On Thursday, November 12, 2009, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> As a matter of process, I would suggest looking at what the 1.0 HMAC-SHA1 method signs, and discuss if it is where we should be. We are working with an existing draft and should structure our discussions as feedback to that point of reference. This doesn't limit the conclusion in any way, and is how this WG has been chartered.
>
> EHL
>
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Brian Eaton
>> Sent: Wednesday, November 11, 2009 5:54 PM
>> To: BeckW@telekom.de
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] why are we signing?
>>
>> So we've got at least five different use cases for signing requests
>> with the oauth access token and token secret.
>>
>> Sweet.
>>
>> The downside to the use cases is that they all have incompatible
>> signature base strings.  I'd like to see us come up with something so
>> that we don't have to reinvent the base string again for every single
>> use case.
>>
>> Cheers,
>> Brian
>>
>> On Wed, Nov 11, 2009 at 5:49 PM,  <BeckW@telekom.de> wrote:
>> >
>> > On Mon, Nov 9, 2009 at 6:28 AM, John Kemp <john@jkemp.net> wrote:
>> >> If we are only interested in i) [authenticating the entity] then
>> > signing any piece of the message might
>> >> be sufficient. If we are interested in ii) [binding the signature to
>> > the message] (or some other security property)
>> >> then we will need to identify which pieces of the message we want to
>> > provide
>> >> that, or other, security properties for.
>> >
>> >> Brian Eaton wrote:
>> >> OK, let me try to summarize what I've heard on this thread about the
>> >> different use-cases for message signing:
>> >>
>> >> - sign the HTTP request
>> >>   Used to prevent MITM from replaying token to a different URL.
>>  Also
>> >> limits the replay attack window to minutes instead of hours.
>> >>
>> >> - sign various other parts of the message
>> >>   DKIM: signs various message headers
>> >>   SIP: unspecified, just says "relevant parts of SIP request"
>> > Hannes Tschofenig suggested handle SIP messages the way described in
>> RfC
>> > 4474 (SIP identity). It lists the parts of a SIP messsage that need
>> to
>> > be protected.
>> >
>> > Wolfgang
>> >
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
--
John Panzer / Google
jpanzer@google.com / abstractioneer.org / @jpanzer

v2.23.0 | Report a Bug | By Email