IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Brian Eaton <beaton@google.com> Tue, 10 November 2009 00:26 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AB133A67AF for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:26:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DQrACN1jMMf for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:26:58 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 572653A63EB for <oauth@ietf.org>; Mon, 9 Nov 2009 16:26:58 -0800 (PST)
Received: from zps78.corp.google.com (zps78.corp.google.com [172.25.146.78]) by smtp-out.google.com with ESMTP id nAA0RMSN019145 for <oauth@ietf.org>; Tue, 10 Nov 2009 00:27:23 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257812843; bh=peRYx4Oha8hRKVZH8OkkjN11HkE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=KyNyTf/6wq0I2h2PDP1juYrC8Dpa6kaHxO1XFkbXyAswr5xOR9Q9IiwqdQSZVm+Yi 0ItUYNLhlBuOJzMm+l6Ug==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=Y+07ExXblVsNvhqnhx64UAg8tUmLAjN2QjiqHjbkL80/lXJqf3119BstV2Zii2tiR Ldc0hF6oHkRn+aLvUnxPg==
Received: from pxi12 (pxi12.prod.google.com [10.243.27.12]) by zps78.corp.google.com with ESMTP id nAA0PTHd026278 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:27:20 -0800
Received: by pxi12 with SMTP id 12so1350894pxi.3 for <oauth@ietf.org>; Mon, 09 Nov 2009 16:27:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.170.10 with SMTP id s10mr435461rve.72.1257812838938; Mon, 09 Nov 2009 16:27:18 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 09 Nov 2009 16:27:18 -0800
Message-ID: <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 00:26:59 -0000

On Sun, Nov 8, 2009 at 11:48 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> The problem is, we are not likely to ever reach consensus on 'reasonable security'.

Agreed, we are going to need a couple of options to cover even the
most vanilla use cases.  I fully expect other people to come up with
more options for their specific use cases.

My goal with this conversation is to identify the vanilla use cases
that would cover most applications.

> For example, I don't find most cookie-based session systems reasonably secure without SSL/TLS.
> Being able to sit at a coffee shop with free wifi and a laptop and steal sessions cookies, then access
> people's email for the duration the cookie is valid isn't reasonable or secure.

OK, so let's consider OAuth-authenticated access to such a service...
does signing requests improve security?

I don't think so.  The user's password is going to be sent in
clear-text when they log in to the service to approve the oauth token.
 And whenever they view a web page on the service their session
cookies are sent in clear text.  The user's data (which is what really
matters in this whole discussion...) is sent in clear text.

AFAICT, using HMAC-SHA1 or RSA-SHA1 in such an environment doesn't
protect users that much.  The service really needs to support https if
they are concerned about that threat model.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email