IETF Logo Mail Archive

Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 14:10 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CABA43A6B47 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 07:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.404
X-Spam-Level:
X-Spam-Status: No, score=-102.404 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyZXlNTHSvqj for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 07:10:27 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 109763A6B80 for <oauth@ietf.org>; Fri, 24 Sep 2010 07:10:11 -0700 (PDT)
Received: from ros-dhcp192-1-51-60.bbn.com ([192.1.51.60]:62648) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Oz8yx-000FjD-TO; Fri, 24 Sep 2010 10:10:37 -0400
Message-Id: <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Justin Richer <jricher@mitre.org>
In-Reply-To: <1285335868.15179.98.camel@localhost.localdomain>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 24 Sep 2010 10:10:34 -0400
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain>
X-Mailer: Apple Mail (2.936)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 14:10:33 -0000

> I think that any signature method that we end up using needs to rely
> less on magic and anecdote and more on explicit declaration.

This is certainly correct ...


> I think
> that Brian Eaton's approach of sending the bare string that was  
> signed,
> which was also a JSON element that could be parsed and validated,  
> was an
> essential simplification.

... but this does not follow.  The signer can specify what was signed  
without sending the data...

> Even OpenID states which of the parameters on
> the request were signed, which makes it easier to validate.

... as in this pattern.  There are some other examples of elements of  
the signed object being conditionally included:
1. HTTP Digest authentication [1]
2. The IKEv2 key exchange messages [2]

As has been pointed out before, there is a security risk in sending  
the signed request data itself (as opposed to metadata that allows the  
recipient to reconstruct the data), because the recipient can choose  
not to verify the binding between the signed data and the request.

--Richard


[1] <http://tools.ietf.org/html/rfc2617#section-3.2.2>
[2] <http://tools.ietf.org/html/rfc4306#section-1.2>

v2.23.0 | Report a Bug | By Email