Re: [OAUTH-WG] why are we signing?

My $.02 for what it's worth:  #1 is sufficient, if there is a standard
mechanism to also handle access token timeout+renewal, because then
OAuth is at least as secure as existing cookie based mechanisms.

#1 may well be sufficient even without that proviso, assuming TLS is
widely deployable, scalable, and Ben Laurie doesn't blog about more
vulnerabilities next week (kidding!)

(Note that nothing stops someone from doing their own encryption of
user data using some other mechanism, if they really need to do so;
OAuth just wouldn't standardize this.)

--
John Panzer / Google
jpanzer@google.com / abstractioneer.org / @jpanzer

On Sun, Nov 8, 2009 at 9:02 PM, Brian Eaton <beaton@google.com> wrote:
> Hey folks -
>
> What are the use cases for cryptography in OAuth?  Why are we signing
> requests?  And how much of each request do we need to sign in order to
> be useful?
>
> As I see it, we have roughly the following menu of choices:
>
> 1) No signatures.
>    Just use bearer tokens.  Use transport layer encryption to keep
> those bearer tokens from leaking.
>
> 2) Signed tokens.
>    We could just sign a timestamp, rather than entire messages.
>
> 3) Partially signed messages.
>    We could sign just the request URL, or the request URL plus some parameters.
>
> 4) Fully signed messages.
>     Sign as much of the HTTP request as possible, down to the bits of
> the HTTP entity body.
>
> My guess is we need at least two out of those four choices (one with
> bearer tokens, a la OAuth 1.0 plaintext) and another with
> cryptography.  But I'm not sure whether we need to sign entire
> messages, or if we can get away with something simpler and still have
> reasonable security.
>
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>