[OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)

Peter Saint-Andre <stpeter@stpeter.im> Fri, 19 November 2010 02:24 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 84B6B28C0EC for <oauth@core3.amsl.com>; Thu, 18 Nov 2010 18:24:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.465
X-Spam-Level:
X-Spam-Status: No, score=-102.465 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTTP_ESCAPED_HOST=0.134, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08tCKablQngT for <oauth@core3.amsl.com>; Thu, 18 Nov 2010 18:24:48 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 8594028C0D9 for <oauth@ietf.org>; Thu, 18 Nov 2010 18:24:48 -0800 (PST)
Received: from squire.local (ip-216-17-182-51.rev.frii.com [216.17.182.51]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id E889540393 for <oauth@ietf.org>; Thu, 18 Nov 2010 19:35:41 -0700 (MST)
Message-ID: <4CE5E01F.1020207@stpeter.im>
Date: Thu, 18 Nov 2010 19:25:35 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030406030904000601010000"
Subject: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 02:24:49 -0000

Folks, is this erratum accurate?


-------- Original Message --------
Subject: [Technical Errata Reported] RFC5849 (2550)
Date: Tue, 12 Oct 2010 09:42:17 -0700 (PDT)
From: RFC Errata System <rfc-editor@rfc-editor.org>
To: eran@hueniverse.com, iesg@iesg.org
CC: alasdair@lovefilm.com, rfc-editor@rfc-editor.org


The following errata report has been submitted for RFC5849,
"The OAuth 1.0 Protocol".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5849&eid=2550

--------------------------------------
Type: Technical
Reported by: Alasdair McIntyre <alasdair@lovefilm.com>

Section: GLOBAL

Original Text
-------------
Section 3.1
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

Section 3.4.1.1
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

Section 3.4.1.3.1
oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"



Corrected Text
--------------
Section 3.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"

Section 3.4.1.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"

Section 3.4.1.3.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"


Notes
-----
(Apologies - this supercedes Errata ID 2549).

The signatures in sections 3.1, 3.4.1.1, and 3.4.1.3.1 of the RFC have
mistakenly been calculated as if with "GET". I have supplied the correct
"POST" signatures in the corrected text.

For reference, here is the perl script I used to calculate the signatures:

#!/usr/bin/perl
use strict;
use warnings;
use Digest::HMAC_SHA1;
use URI::Escape;
use MIME::Base64;

my $unsafe = '^-._~A-Za-z0-9';
my $client_secret = 'j49sk3j29djd';
my $token_secret = 'dh893hdasih9';
my $key = join('&', $client_secret, $token_secret);

my $uri_base = 'http%3A%2F%2Fexample.com%2Frequest';
my $params = join('', qw(
    a2%3Dr%2520b%26a3%3D2%2520q%26a3%3Da%26b5%3D
    %253D%25253D%26c%2540%3D%26c2%3D%26oauth_con
    sumer_key%3D9djdj82h48djs9d2%26oauth_nonce%3
    D7d8f3e4a%26oauth_signature_method%3DHMAC-SH
    A1%26oauth_timestamp%3D137131201%26oauth_tok
    en%3Dkkk9d7dh3k39sjv7
));

foreach my $method ('GET', 'POST') {
    my $base_sig = join('&', $method, $uri_base, $params);
    my $bin_sig = Digest::HMAC_SHA1::hmac_sha1($base_sig, $key);
    my $b64_sig = MIME::Base64::encode_base64($bin_sig, '');
    my $enc_sig = URI::Escape::uri_escape($b64_sig, $unsafe);
    printf "%-8s %s\n", $method, $enc_sig;
}

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC5849 (draft-hammer-oauth-10)
--------------------------------------
Title               : The OAuth 1.0 Protocol
Publication Date    : April 2010
Author(s)           : E. Hammer-Lahav, Ed.
Category            : INFORMATIONAL
Source              : IETF - NON WORKING GROUP
Area                : N/A
Stream              : IETF
Verifying Party     : IESG