Re: [OAUTH-WG] HTTP signing spec and nonce
Justin Richer <jricher@mit.edu> Sun, 28 February 2016 21:34 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08E21B2F1D for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 13:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nLQspvTAGBc for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 13:34:08 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF6B41B2E33 for <oauth@ietf.org>; Sun, 28 Feb 2016 13:34:07 -0800 (PST)
X-AuditID: 12074425-593ff70000000508-6d-56d367ce6d0c
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 41.05.01288.EC763D65; Sun, 28 Feb 2016 16:34:06 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u1SLY5CP016614; Sun, 28 Feb 2016 16:34:06 -0500
Received: from [10.0.1.8] (ip68-104-118-32.lv.lv.cox.net [68.104.118.32]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1SLY1U7027857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 28 Feb 2016 16:34:04 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_497B2CDF-277D-4A20-B972-D083D20512B0"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <etPan.56d14afa.11e44d1b.12e86@dombp.fritz.box>
Date: Sun, 28 Feb 2016 13:34:01 -0800
Message-Id: <4DF9257B-EAFE-440C-B1DD-FB7507F1BB18@mit.edu>
References: <008201d170a4$f5216910$df643b30$@gmail.com> <69709F83-8D24-44DE-9A3B-D3BF8F70C201@mit.edu> <etPan.56d14afa.11e44d1b.12e86@dombp.fritz.box>
To: Dominick Baier <dbaier@leastprivilege.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplleLIzCtJLcpLzFFi42IRYrdT1z2XfjnM4NtUNYsZP46yW8y4cJXZ 4uTbV2wOzB47Z91l91iy5CeTx/Y1F5gCmKO4bFJSczLLUov07RK4Mqbe2spa8Nyt4vWXwywN jBNsuxg5OCQETCQuHyjpYuTiEBJoY5JY/vgnO4SzkVGid8ZUVgjnGJNEy+TVQA4nB7NAgsTT fw9YQGxeAT2JV7cus4JMEhYwlpj2MRUkzCagKjF9TQsTSJhTwEZix3YDkDALUHjjFohOZgFv iVfL+tkgplhJLOt7xwixahqjxNFjf5lBEiJA4yetmsEOYksIyErs/v2IaQIj/ywkV8xCcgVE XFti2cLXzBC2psT+7uUsmOIaEp3fJrIuYGRbxSibklulm5uYmVOcmqxbnJyYl5dapGuhl5tZ opeaUrqJERzqLqo7GCccUjrEKMDBqMTD+0LzcpgQa2JZcWXuIUZJDiYlUd4+8YthQnxJ+SmV GYnFGfFFpTmpxYcYJTiYlUR43S2BynlTEiurUovyYVLSHCxK4rwxN4+GCQmkJ5akZqemFqQW wWRlODiUJHhT04AaBYtS01Mr0jJzShDSTBycIMN5gIbLg9TwFhck5hZnpkPkTzEqSonz6oEk BEASGaV5cL2gVOSSUabwilEc6BVh3g0gVTzANAbX/QpoMBPQYIn1l0AGlyQipKQaGA8ez1Jx 0TLW3Ze4xYzxpcWCx9He83J/OKX/PrS2SCV+/tSQzpx5giLfz95wql2QN+Ek+9rnL/648CjY RM05elbF9rwsV46DzCdBFddv8eys5jbXN2dP/1u37fOJSXz6n369VT3hYtW1Ufh1vciPEj53 Ad74iadVrrP3ZZatZJDZMnn21NR/65RYijMSDbWYi4oTAUNRdG8gAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/DksW7pmuNvTcm-yLnCU1eoLzKyE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] HTTP signing spec and nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2016 21:34:10 -0000
I understand how they work, I’ve built exactly that cache before. But I askWouldn’t a unique timestamp have the same effect? Currently it’s integer seconds but slicing that down further (floating point seconds?) if people desired would allow for multiple signed messages in the same second from the same client using the otherwise same parameters. “Other protocols do it” is not a compelling reason on its own, especially when the example of “other protocols” includes WS-* ;) Seriously though, an optional nonce is easy to add to the draft if there’s enough WG support, I’m just hesitant to add more complexity than needed to this. — Justin > On Feb 26, 2016, at 11:06 PM, Dominick Baier <dbaier@leastprivilege.com> wrote: > > The nonce would allow to build a replay cache, the timestamp to trim that cache and reject messages that are too old. > > Similar protocols have a nonce for the above reasons (ws-sec msg security, hawk)... > > — > cheers > Dominick Baier > > On 27 February 2016 at 03:48:00, Justin Richer (jricher@mit.edu <mailto:jricher@mit.edu>) wrote: > >> I’d be glad to add in a nonce if there’s a compelling reason for it, such as closing a security attack vector. >> >> What’s the proposed purpose of the nonce? Is it just to add randomness to the signing base? Or is it to prevent replay at the RS? If the former, the timestamp should add enough of that and it can be verified to be within a reasonable window by the RS by comparing it with the time the request was made. If the latter, the RS is going to have to track previously used nonces for some amount of time. >> >> There was a small discussion of just signing an outgoing “Date:” header instead of the separate timestamp, but the timestamp seemed to be more robust. I forget the full reasoning though. >> >> — Justin >> >>> On Feb 26, 2016, at 9:49 AM, Brock Allen <brockallen@gmail.com <mailto:brockallen@gmail.com>> wrote: >>> >>> Question about the HTTP signing spec – why is there no nonce (and just a timestamp)? >>> >>> TIA >>> >>> -Brock >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] HTTP signing spec and nonce Brock Allen
- Re: [OAUTH-WG] HTTP signing spec and nonce Justin Richer
- Re: [OAUTH-WG] HTTP signing spec and nonce Dominick Baier
- Re: [OAUTH-WG] HTTP signing spec and nonce Justin Richer
- Re: [OAUTH-WG] HTTP signing spec and nonce Samuel Erdtman