Re: [OAUTH-WG] Signature crypto
Eran Hammer-Lahav <eran@hueniverse.com> Fri, 04 December 2009 19:24 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8137F3A67B0 for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 11:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.964
X-Spam-Level:
X-Spam-Status: No, score=-2.964 tagged_above=-999 required=5 tests=[AWL=-0.365, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gE2xdebe+Dom for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 11:24:30 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 9AB083A63EB for <oauth@ietf.org>; Fri, 4 Dec 2009 11:24:30 -0800 (PST)
Received: (qmail 7739 invoked from network); 4 Dec 2009 19:24:22 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Dec 2009 19:24:22 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 4 Dec 2009 12:24:20 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>
Date: Fri, 04 Dec 2009 12:24:37 -0700
Thread-Topic: [OAUTH-WG] Signature crypto
Thread-Index: Acp1FcV/6dJS6OFHRw6IzNJVZBD9+AAALKSQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437852936D4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343785183009@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343785293671@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041016k10366b88tb001f7700405083f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785293683@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041023y3207d801r42f01c7a0c4352bb@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234378529368A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912041037t199cc9d3rbd4d31d327f8988b@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234378529369B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041048s7f1f53bs27ec2b78f7f44c8b@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723437852936BC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912041112h71c0644dm8c908478dbff2e9a@mail.gmail.com>
In-Reply-To: <daf5b9570912041112h71c0644dm8c908478dbff2e9a@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signature crypto
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 19:24:31 -0000
That's beside the point. You are talking about implementation and I'm talking about specification. Are you expecting them to write a new RFC to add support for HMAC-1024? That's the implications of what you are suggesting. Instead, I am trying to define a few (1 or 2) classes of algorithms, provide well-defined process of them, and provide an easy registration process for new algorithms which fit the class. A MAC class would be defined as applying any MAC algorithm which can be described by digest=mac(key,text) where text is the signature base string, key is the symmetric shared secret associated with the token, and digest is the value sent to the server for authentication (after properly encoded). With this definition, you can extend the protocol by simply sending an email to a designated list, get quick feedback, and register a new algorithm that fits this template. However, if you want to use a new algorithm that requires, say, asymmetric shared secret or a different normalization of the HTTP request (something different from the signature base string), then you need to write an RFC (or any other Open Standard) and go through a longer process. EHL > -----Original Message----- > From: Brian Eaton [mailto:beaton@google.com] > Sent: Friday, December 04, 2009 11:13 AM > To: Eran Hammer-Lahav > Cc: Breno; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Signature crypto > > On Fri, Dec 4, 2009 at 11:10 AM, Eran Hammer-Lahav > <eran@hueniverse.com> wrote: > > I am trying to avoid the need to publish a specification every time > > you want to add a new MAC-based algorithm. > > People are going to end up needing to write new code every time they want > to add a new MAC-based algorithm. > > Cheers, > Brian
- [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Peter Saint-Andre
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto Hubert Le Van Gong
- Re: [OAUTH-WG] Signature crypto Vrancken Bart bv
- Re: [OAUTH-WG] Signature crypto Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] Signature crypto John Kemp
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Ben Laurie
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Manger, James H
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Stephen Farrell
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Brian Eaton
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Paul C. Bryan
- Re: [OAUTH-WG] Signature crypto stephen.farrell
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Eran Hammer-Lahav
- Re: [OAUTH-WG] Signature crypto Richard Barnes
- Re: [OAUTH-WG] Signature crypto Breno
- Re: [OAUTH-WG] Signature crypto Richard L. Barnes