Re: [OAUTH-WG] why are we signing?
John Panzer <jpanzer@google.com> Tue, 10 November 2009 04:18 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 485993A6822 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 20:18:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2e2slUvW0jOm for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 20:18:17 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 0AA753A67BD for <oauth@ietf.org>; Mon, 9 Nov 2009 20:18:16 -0800 (PST)
Received: from spaceape11.eur.corp.google.com (spaceape11.eur.corp.google.com [172.28.16.145]) by smtp-out.google.com with ESMTP id nAA4If1G028634 for <oauth@ietf.org>; Tue, 10 Nov 2009 04:18:41 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257826721; bh=vY6/rlK1Drt0WiymynTnSfAqNUM=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=YqM4Am6vKWNXaAb7cw8TgMq7szlvoYdXx+1nBFmWBG2P3LolJTbcTzeZolTNNB96u jaPYqZPdpR1xWdIez1ahQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=iEHVLdkX+7hvf5j1qKe/lc5kqOurdDottdqRu+8CR1QhLB9vfvVHEJYqwyqeEiFll regBLecEHnNo0gWmj4noA==
Received: from pxi15 (pxi15.prod.google.com [10.243.27.15]) by spaceape11.eur.corp.google.com with ESMTP id nAA4Ic7Z005729 for <oauth@ietf.org>; Mon, 9 Nov 2009 20:18:39 -0800
Received: by pxi15 with SMTP id 15so2602300pxi.23 for <oauth@ietf.org>; Mon, 09 Nov 2009 20:18:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.115.66.10 with SMTP id t10mr1719804wak.20.1257826713147; Mon, 09 Nov 2009 20:18:33 -0800 (PST)
In-Reply-To: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
Date: Mon, 09 Nov 2009 20:18:13 -0800
Message-ID: <cb5f7a380911092018r2e94e1a7ncbfe1354c3b5164d@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 04:18:18 -0000
My $.02 for what it's worth: #1 is sufficient, if there is a standard mechanism to also handle access token timeout+renewal, because then OAuth is at least as secure as existing cookie based mechanisms. #1 may well be sufficient even without that proviso, assuming TLS is widely deployable, scalable, and Ben Laurie doesn't blog about more vulnerabilities next week (kidding!) (Note that nothing stops someone from doing their own encryption of user data using some other mechanism, if they really need to do so; OAuth just wouldn't standardize this.) -- John Panzer / Google jpanzer@google.com / abstractioneer.org / @jpanzer On Sun, Nov 8, 2009 at 9:02 PM, Brian Eaton <beaton@google.com> wrote: > Hey folks - > > What are the use cases for cryptography in OAuth? Why are we signing > requests? And how much of each request do we need to sign in order to > be useful? > > As I see it, we have roughly the following menu of choices: > > 1) No signatures. > Just use bearer tokens. Use transport layer encryption to keep > those bearer tokens from leaking. > > 2) Signed tokens. > We could just sign a timestamp, rather than entire messages. > > 3) Partially signed messages. > We could sign just the request URL, or the request URL plus some parameters. > > 4) Fully signed messages. > Sign as much of the HTTP request as possible, down to the bits of > the HTTP entity body. > > My guess is we need at least two out of those four choices (one with > bearer tokens, a la OAuth 1.0 plaintext) and another with > cryptography. But I'm not sure whether we need to sign entire > messages, or if we can get away with something simpler and still have > reasonable security. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)