IETF Logo Mail Archive

Re: [OAUTH-WG] Basic signature support in the core specification

John Panzer <jpanzer@google.com> Mon, 27 September 2010 07:01 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 800923A6C84 for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 00:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.943
X-Spam-Level:
X-Spam-Status: No, score=-105.943 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqzgpCwf3Pwm for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 00:01:04 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id E5DB53A6C83 for <oauth@ietf.org>; Mon, 27 Sep 2010 00:01:03 -0700 (PDT)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [172.25.149.7]) by smtp-out.google.com with ESMTP id o8R71eF4021278 for <oauth@ietf.org>; Mon, 27 Sep 2010 00:01:40 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285570901; bh=/skbFhPKzKPwB6k8zkRRESo+yl8=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=O6qybUDglm1F5XIMRbBxggpRD9ooHidcxU96GTmQigwpCAgNpiwQTWe3rQeA5SHSN VDcSFW7nKuFXQ35vijX4g==
Received: from pzk30 (pzk30.prod.google.com [10.243.19.158]) by hpaq7.eem.corp.google.com with ESMTP id o8R71a0r030467 for <oauth@ietf.org>; Mon, 27 Sep 2010 00:01:38 -0700
Received: by pzk30 with SMTP id 30so740258pzk.30 for <oauth@ietf.org>; Mon, 27 Sep 2010 00:01:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=UoOE5ntxkX3iZSU0R1Oz6gZEIAnzvOFQYvQ3e1SurfA=; b=jji2FFv3oEMkxz7OG/3Uda6mn2sGMhd58FKiNKwVyhG7Boe1b7sE0R72NaMw5Vr87/ 8+kwIe0/NKEy7R6M9rcg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=hy3MknM4/qfezB6LOVfuJWPY9r4xIbMPgqumzm25znX3s/phhO2Gv1AusQkVy4lscJ GT5eeTQwjoX8utgQB6hw==
Received: by 10.142.169.21 with SMTP id r21mr5962829wfe.185.1285570895737; Mon, 27 Sep 2010 00:01:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Mon, 27 Sep 2010 00:01:15 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D45D80136@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C8C15057.3AC64%eran@hueniverse.com> <D01C840D-BA0A-42AE-A6C4-C43E6E84C2F2@gmail.com> <255B9BB34FB7D647A506DC292726F6E1126BFB1574@WSMSG3153V.srv.dir.telstra.com> <90C41DD21FB7C64BB94121FBBC2E72343D45D80132@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CD71CDA0-15FA-4860-87EA-BE9C4B6932E4@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343D45D80136@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: John Panzer <jpanzer@google.com>
Date: Mon, 27 Sep 2010 00:01:15 -0700
Message-ID: <AANLkTimKJGRBqXPiUVROYQNRhj0KPEp0C4K8KXqUHjsr@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="000e0cd1444e92f5820491384c63"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 07:01:06 -0000

On Sun, Sep 26, 2010 at 11:37 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

>
>
> > -----Original Message-----
> > From: Dick Hardt [mailto:dick.hardt@gmail.com]
> > Sent: Sunday, September 26, 2010 11:21 PM
>
> > >  What I absolutely object to is presenting a specification that to a
> new
> > reader will read as if bearer tokens are the default way to go. OAuth 2.0
> core
> > today reads like a complete protocol and that's my problem.
> >
> > It is a complete protocol for many existing use cases.
>
> That's clearly a matter of personal opinion :-) and why we have been
> arguing about this for over a year.
>
> > For those use cases
> > where it is not, you can call require signatures and point people to the
> > signature spec, just like the use of bearer tokens points people to the
> TLS
> > specs.
>
> According to Ben Laurie [1] and Ben Adida [2], a simple reference to TLS is
> a recipe for disaster.


Actually in [1], Ben Laurie does not say that a simple reference to TLS is a
recipe for disaster.  (Go read it.)  In fact his first point is that you
need a well-define threat model before you can talk sensibly about any of
this; I would really like us to do that in this case too.


> People tend to implement TLS incorrectly on the client side which voids
> many of the important protections it is meant to provide.
>

The bits they tend to implement incorrectly (specifically, things like
checking for certificate revocations) seem to me to be very general and
exactly the kinds of things one needs in order to implement _any_ protection
against the endpoint impersonation you are worried about.  Why would they be
more likely to get it right for a new protocol than for an existing one?


>
> As the editor, I am having a hard time consolidating your view which treats
> readers as security experts, capable of making educated decisions about the
> protocol, and the demands from others that the specification should be
> completely accessible to any developer (especially those with no security
> background) and read like a tutorial on OAuth.
>
> If we want to keep the full range, we need to clearly express it, including
> highlighting the significant shortcomings of bearer tokens, the known TLS
> deployment issues, and the value in whatever signature proposals we have
> ready to reference or include.
>
> Standards are meant to improve interoperability, but also security. This is
> why any IETF charter dealing with an existing technology states that the
> working group may break compatibility if it has interop or security reasons
> to do so. We are doing fine on interop, but doing pretty badly on security.
>
> EHL
>
> [1] http://www.links.org/?p=846
> [2] http://benlog.com/articles/2009/12/22/its-a-wrap/
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email