IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 02 December 2009 09:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90F8028C0E7 for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 01:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.626
X-Spam-Level:
X-Spam-Status: No, score=-0.626 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO62WnmOzxBl for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 01:48:36 -0800 (PST)
Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id 7916428C15D for <oauth@ietf.org>; Wed, 2 Dec 2009 01:48:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id 8A450360084 for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:27 +0000 (GMT)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFYZbCAy6Dsk for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:26 +0000 (GMT)
Received: from mail01.newbay.com (mail01.newbay.com [192.168.12.25]) by mail.newbay.com (Postfix) with ESMTP id A8DC2360059 for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:26 +0000 (GMT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail01.newbay.com (Postfix) with ESMTP id A2A3D7C315 for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:26 +0000 (GMT)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail01.newbay.com ([127.0.0.1]) by localhost (mail01.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKwZA1l7Uy6Z for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:26 +0000 (GMT)
Received: from [192.168.3.23] (unknown [192.168.3.23]) by mail01.newbay.com (Postfix) with ESMTP id 0811D7C30A for <oauth@ietf.org>; Wed, 2 Dec 2009 09:48:26 +0000 (GMT)
Message-ID: <4B1637EB.5080502@cs.tcd.ie>
Date: Wed, 02 Dec 2009 09:48:27 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.23 (X11/20090812)
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com> <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 09:48:37 -0000

I think we'll need an analysis of where we end up wanting TLS
for the protocols we produce. I wouldn't expect any big
surprises, but right now I don't think we can be sure since
things seems to be in flux to some extent.

Then, I'd be for saying that TLS MUST be used for those operations.
However, I can well believe that there may be some niches where
using TLS isn't easy, so I could live with something like: it MUST
be possible to use TLS, and that deployments SHOULD use it, with
guidance as to the type of scenario where we think TLS really
has to be turned on, and maybe text about why sometimes people
can't do that.

So I don't think we can finish this discussion at this stage.

S.

Eran Hammer-Lahav wrote:
> <smiling but not joking>
> 
> I would like to make an official request to the chair for a consensus call on recommending SSL but keeping it optional in the various OAuth components. We can figure out how strong to make the language (or how scary), and we may make it mandatory in some flows/profiles, but I would like to be done with this discussion (for the n time).
> 
> If someone will want to raise new arguments, well, this is the IETF so who can stop them? :-)
> 
> EHL
> 
>> -----Original Message-----
>> From: Dick Hardt [mailto:Dick.Hardt@microsoft.com]
>> Sent: Tuesday, December 01, 2009 9:51 PM
>> To: Brian Eaton
>> Cc: Eran Hammer-Lahav; Peter Saint-Andre; <ext@core3.amsl.com>;
>> Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org
>> Subject: Re: [OAUTH-WG] why are we signing?
>>
>>
>> On 2009-12-01, at 5:46 PM, Brian Eaton wrote:
>>
>>> On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav
>> <eran@hueniverse.com> wrote:
>>>>> Getting a Class 1 cert from the likes of StartSSL is easy as pie
>>>>> these days. IMHO there is no excuse for not deploying SSL if you
>>>>> care one whit about security. The problem is that too many
>>>>> small-scale developers (and big companies!) simply don't care.
>>>> Don't care, don't need that much security, don't understand it, etc.
>> Bottom line is that requiring SSL is certain to fork this work if not done right.
>>> Note, however, that someone who can't get SSL working and still
>>> deploys OAuth has basically no security against eavesdroppers or MITM
>>> attacks, and certainly can't expect OAuth to provide it.  The issues
>>> are in the token issuance phase: these organizations are sending user
>>> passwords and session cookies in clear text!  OAuth is the least of
>>> their security concerns,
>>
>> If the cost of SSL outweighs the risk of a security breach, then why would a
>> developer deploying OAuth choose to sign their messages rather then use
>> the simpler bearer token?
>>
>> Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I think
>> that is a good question. Perhaps it should be RECOMMENDED, and
>> deployments can make their own benefit analysis.
>>
>> -- Dick
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email