Re: [OAUTH-WG] Future of PoP Work
Blue Teazzers <teazzerst2d@gmail.com> Tue, 25 October 2016 04:12 UTC
Return-Path: <teazzerst2d@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B214B1294AC for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 21:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUDPcNglOJFV for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 21:12:11 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6DE312940E for <oauth@ietf.org>; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id m72so74417897oik.3 for <oauth@ietf.org>; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W7usgI99KCSAd7JBwB/JUm5EowXZKT4Kga0IXr66gKg=; b=xspUGVO/4KURkeqk5G4zs4FuklsKX56LV53ueRECiFxk4FZL1+7ra02g8EIAkd2z9n NiLhwtd2eLOeIAQ6r8BLe1FDRlNcZUoGh0AncyVPWDyBosbeizsKgRiDWZj1sHgLpDb4 Kn+QKW5Q8mv9arreC7scHfDpNAhlve85Y/7woN3DJoUrmPvDx0uUq/I75xhJ2/fHmWxT 5OGMzE29AItSTaoNbbV1Pe663Q6J8/HgTokYFqxvhnkHQwKTiQbx9jm2/pzZsMKz5LP3 mP/lKRSQI6S9QCwf4wdWOsmQl/leliBkrMGJvIvzqTZ4o5Twc5MneOZC5DdhK/4EP/qu BsXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W7usgI99KCSAd7JBwB/JUm5EowXZKT4Kga0IXr66gKg=; b=SN0FRSxMEj2Rq+V09ziNcVb2TjoW14xQvWc05/pjTczaVm/eEC41NTlgZvt/Cs4hOV 4HQ1LnEamvMrh5LR4Lmh/rInLcLQvVTsTG9qKndKM1X6yXA25RQYS8+b7IQMKZRbCJQK QNzOy2u+qXTwLjEuciTbVLg8/aVdp6PNEUbo9btdYoj16efCrL3yL32qn5WwbyJ7we7V ZvHRnvsCwy/azSYgOpTuztDa4mxOLWhlJQY1enCwfEUCk3Fw9y71ELX96PRIg07bM48A Hd0nKhugFY+inTEireqs8AyHDbAfO1gl/Oc0gDaw1yq0q8WpzHJjofzaariU1emVOEI5 +LJA==
X-Gm-Message-State: ABUngvcIq9wbpwtY2YAnRw+DvHks4VqtEzekR94IE7IoCylREBP0Q2oaDnb4HF9Dn8JOCHYf8sQ13O0KkY3AoA==
X-Received: by 10.107.58.86 with SMTP id h83mr9760662ioa.117.1477368730286; Mon, 24 Oct 2016 21:12:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.39.19 with HTTP; Mon, 24 Oct 2016 21:12:09 -0700 (PDT)
In-Reply-To: <96CE138B-D02A-491F-BEF4-7800201C3CA2@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com> <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com> <35529A23-97AC-4B69-9544-90E2E8C53755@mit.edu> <F441C93D-64F4-4D48-8E67-0A6E940C9A21@oracle.com> <96CE138B-D02A-491F-BEF4-7800201C3CA2@mit.edu>
From: Blue Teazzers <teazzerst2d@gmail.com>
Date: Tue, 25 Oct 2016 09:42:09 +0530
Message-ID: <CAHuRu6rF7Pibbe3S68mdgqcQSFuuqvg8Q0SkyS9mn9W1pmpx4w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="001a114ac8845efe44053fa8b66a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AczB4SgwYOn5ZqjFxkf068i3rXs>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 04:12:12 -0000
Hi everyone On Tue, Oct 25, 2016 at 3:28 AM, Justin Richer <jricher@mit.edu> wrote: > The reason that there’s a lot of discussion on headers and query > parameters and not a lot of discussion on the content is that there’s > nothing special for signing the body whether it’s XML or JSON or HTML: it’s > just a hash of the entity body, sent as the “b” parameter in the JWS. The > body is less likely to be transformed than the headers or parameters, and > getting into “how to sign XML” or “how to sign JSON” beyond “just take the > body as a byte array and hash it” is problematic. I don’t think we want to > get into the business of normalization or canonicalization of the message > body. > > Keep in mind that this is all for the HTTP *request* from the client and > not the HTTP *response* from the RS. > > — Justin > > On Oct 24, 2016, at 1:27 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > Rather than focus on headers and URL param signing, focus on specifying > how content is signed in the context of PoP. > > I think there might be a clearer path for example if we new that signing > for application/json and application/xml worked well. > > As we’ve been discussing signing headers and URL params is theoretically > do-able, but it probably has more limited use and would remain experimental. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > On Oct 24, 2016, at 1:06 PM, Justin Richer <jricher@mit.edu> wrote: > > You can already sign arbitrary content using a body hash with the current > spec. > > — Justin > > On Oct 24, 2016, at 8:38 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote: > > Maybe if we reworked the signing doc so content types like xml and json > could be signed? > > This would cover for the majority of web api cases. > > Wonder what the advice of the http wg would be on this. > > Phil > > On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se> wrote: > > +1 on doing PoP work in this working group, including HTTP signing/MACing, > I don´t think the old HTTP signature document was that far from useful. > > With the ACE work I like when it is possible to just map work done in the > OAuth and other working groups to the more optimized protocols. Some would > maybe say that it is sub-optimal that the protocol was not initially > designed for the constrained environment but I think the benefit of concept > validation from web is a bigger plus. > > //Samuel > > On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote: > >> I believe that the PoP work should stay in the working group, and that >> without a usable presentation mechanism such as an HTTP message signature >> the whole work is pointless. I agree with Mike that we should learn from >> our own mistakes — and that is precisely the direction that the current >> HTTP signing draft took. As a result, the base level of functionality is >> signing the token itself (with a timestamp/nonce) using the key. All of the >> fiddly HTTP bits that trip people up? Not only are they optional, but it’s >> explicitly declared what’s covered. Why? Because we’re learning from past >> mistakes. >> >> I think that token binding is relying on a lot of “ifs” that aren’t real >> yet, and if those “ifs” become reality then it will be to the benefit of >> large internet companies over everyone else. Additionally, token binding in >> OAuth is far from the simple solution that it’s being sold as. The very >> nature of an access token goes against the original purpose of tying an >> artifact to a single presentation channel. OAuth clients in the real world >> need to be able to deal with multiple resource servers and dynamically >> deployed APIs, and the token binding protocol fundamentally assumes a world >> where two machines are talking directly to each other. >> >> All that said, this working group has consistently shown resistance to >> solving this problem for many years, so the results of this query don’t at >> all surprise me. >> >> — Justin >> >> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig < >> hannes.tschofenig@gmx.net> wrote: >> > >> > Hi all, >> > >> > two questions surfaced at the last IETF meeting, namely >> > >> > 1) Do we want to proceed with the symmetric implementation of PoP or, >> > alternatively, do we want to move it over to the ACE working group? >> > >> > 2) Do we want to continue the work on HTTP signing? >> > >> > We would appreciate your input on these two questions. >> > >> > Ciao >> > Hannes & Derek >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Future of PoP Work Hannes Tschofenig
- Re: [OAUTH-WG] Future of PoP Work Mike Jones
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Brian Campbell
- Re: [OAUTH-WG] Future of PoP Work Anthony Nadalin
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Ludwig Seitz
- Re: [OAUTH-WG] Future of PoP Work Samuel Erdtman
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Blue Teazzers