IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Mike Malone <mjmalone@gmail.com> Mon, 30 November 2009 22:32 UTC

Return-Path: <mjmalone@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 231703A68AF for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 14:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhujRufm09IC for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 14:32:41 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by core3.amsl.com (Postfix) with ESMTP id 9D7B73A6827 for <oauth@ietf.org>; Mon, 30 Nov 2009 14:32:38 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 9so833855qwb.31 for <oauth@ietf.org>; Mon, 30 Nov 2009 14:32:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Pg9kqPSfP7SCpGMBTq6HgRC4rfPRV/xLGrEHz+mSsUk=; b=msWzn8tx++vgR6bjGJ1SwzlHL+Iqzsgo21tdVoMO2t09dxBDdJbe2GVWdmfnWgkSPI uwhLpgyyARIib90diJUnoAhe71Fwz28tDHdPrwuhI1hzZgNuI0gSMSwFtVlq0JhbtHvC p/0PU1VdC5LuYvEcOpc74Pc7FuOdA1TTqFVKQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Qk1OBpiR1cCH8hEoZnvb8BQZZMG4pT+Y+jsfMCNUqjVq4ouDV3Yv3MyAiUL2wydx8/ Va/L1qYVP+zxH2NR5bSIEanFpGSdDJI5bBv/crhv0XM8/aflOH2e/Ge389gisRcJ9Ce4 InazCYhBtBPR5bQ4KYT87vw7rSXLjNGRa7Zq4=
MIME-Version: 1.0
Received: by 10.229.33.15 with SMTP id f15mr700460qcd.59.1259620348695; Mon, 30 Nov 2009 14:32:28 -0800 (PST)
In-Reply-To: <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com> <4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de> <daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com>
Date: Mon, 30 Nov 2009 14:32:28 -0800
Message-ID: <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com>
From: Mike Malone <mjmalone@gmail.com>
To: Dick Hardt <Dick.Hardt@microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 22:32:42 -0000

On Mon, Nov 30, 2009 at 11:17 AM, Dick Hardt <Dick.Hardt@microsoft.com> wrote:
>
> On 2009-11-13, at 7:21 AM, Eran Hammer-Lahav wrote:
>>
>> I for one, see great value in offering some form of crypto-based security for cases where TLS is not suitable.
>
> Are these use cases enumerated somewhere?

I'm not completely opposed to the TLS route, but since you asked...
off the top of my head, here are a couple drawbacks to using TLS
instead of signing:
  - Bigger burden on developers who need to debug this stuff (i.e.,
you can't sniff your own traffic to debug requests & responses).
  - Properly setting up TLS can be complicated and expensive. For
developers who don't have a lot of ops skills the barrier may be too
high.
  - You can no longer pass around signed URLs as another level of
delegation (a use case that I use regularly for making XHR & POST
requests from the browser). This could be a non-issue if some other
mechanism for fourth-party delegation existed.

If we were coming up with a more secure replacement for browser-based
HTTP basic auth (and looking at Aza Raskin's work with identity in
Firefox, OAuth in the browser doesn't appear to be that far off) would
you want to mandate that all auth'd HTTP traffic use TLS? Not sure if
the answer is yes or no, but I'm guessing many of the
advantages/drawbacks will be the same.

Mike

v2.23.0 | Report a Bug | By Email