IETF Logo Mail Archive

Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

William Mills <wmills_92105@yahoo.com> Fri, 10 August 2012 14:42 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE0221F8681 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 07:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.774
X-Spam-Level:
X-Spam-Status: No, score=-2.774 tagged_above=-999 required=5 tests=[AWL=-0.175, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDA3fb-xDMMD for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 07:42:45 -0700 (PDT)
Received: from nm29.bullet.mail.sp2.yahoo.com (nm29.bullet.mail.sp2.yahoo.com [98.139.91.99]) by ietfa.amsl.com (Postfix) with ESMTP id 6F50521F8680 for <oauth@ietf.org>; Fri, 10 Aug 2012 07:42:45 -0700 (PDT)
Received: from [98.139.91.68] by nm29.bullet.mail.sp2.yahoo.com with NNFMP; 10 Aug 2012 14:42:42 -0000
Received: from [72.30.22.33] by tm8.bullet.mail.sp2.yahoo.com with NNFMP; 10 Aug 2012 14:42:42 -0000
Received: from [127.0.0.1] by omp1061.mail.sp2.yahoo.com with NNFMP; 10 Aug 2012 14:42:42 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 876280.90680.bm@omp1061.mail.sp2.yahoo.com
Received: (qmail 60669 invoked by uid 60001); 10 Aug 2012 14:42:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1344609762; bh=aGvA5MlDe8slwREHplGy+bBu9VCO2h6ASbFAwfiVGTo=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=kpFYTM4TsJuoMELi0kc7jONmUCot/5kFvyMr4Lxx+APMQT+TYkvAivK/ZIH2u5nPO8KFQZ6HWJMYjRouHwKMRUsHxAfgeU0FgLyBMQoT13hn31MlMGItnTW8Pjj3IIcea7dKFoGzjJf/6A7Rc92JMxQO5w/MxyioDFjqk20UrvQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Hs7whSPpmtT4GO9j2svrrSfYazQR/o90vOpQOhVlOHsAYudia+f7vJifZzkBMv/okcB3PH39S/YwE7maGVen3fQsg+I0eHusAakQOsYgrx3UHmVt3WMniCdS+IB45qptXRePyXyDy2BaUswA6jImZlO1HsdaqYNK6dDd4khUS8k=;
X-YMail-OSG: MfBJfFQVM1l9FQUD3yj00qGKYmt8_ndtPqYc.VjsdsYI3B3 Fb7RBZgafMfBTPaXpj_7BH_.F42GnM2q0spUlFImtNOBZXNma3l4R8hLDfJr MWkmWlG17Fixc36OcNEx7P9EzRcJLT0AYH_vO0fVBMf_69ma11OkfqHAqyBF UY0iE6_PAMjCQdtlQambEJU7IRMNmDG7DQCAesbjVRGax2HSuwF959P70_WP FbzVfOmXQxQtQTNmisJN0TqTkO8rt1MHcuswR.2qOkT_wT4NPAlLBrKdHlTm ZKPL.el6LEnRdyY0tAhl_sHA4rumYSYuhkWDBvy6HAtT6KkB5M3G9e0rSP1Z cDpjdggk97lX3ko4ky4kZ_YSUTqtYGQJhEcWxt.PXrI5HXq4V.88T6liqqJB oiDbRXEguE89CSfTe.UVfgdMRaPxe.xdGkAoIeBsrpwRt_A0vX17dj79sgR3 32owq_JXi4QNrgdRcbs3DkaxcDCpeNlSVhaCGvWNCWXt7o8V5zXPJMClTb9w -
Received: from [99.31.212.42] by web31810.mail.mud.yahoo.com via HTTP; Fri, 10 Aug 2012 07:42:42 PDT
X-Mailer: YahooMailWebService/0.8.121.416
References: <CAOKdZ1dzVcKBDt6CSLuHwc4NzUVd_hUMWdpJVS6=ncdJo05=UQ@mail.gmail.com> <502280D8.40708@mitre.org> <9AD4EEF7-6187-4A4F-A855-32819BCB8321@gmx.net> <5022D344.40600@mitre.org> <EEBC9705-16C0-4697-8F38-28660C3CB553@ve7jtb.com> <5023CC18.9090809@mitre.org> <1344531175.4871.YahooMailNeo@web31812.mail.mud.yahoo.com> <3940317E-948C-4909-9B8F-2689A6B8D4EB@gmail.com> <1344534823.39489.YahooMailNeo@web31801.mail.mud.yahoo.com> <5B59B739-F8E7-4F5A-A39C-8C46055D0E98@ve7jtb.com> <1344537819.41154.YahooMailNeo@web31803.mail.mud.yahoo.com> <283C0846-4D26-4B3B-AD6D-7F895E8AF47D@gmx.net>
Message-ID: <1344609762.59093.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Fri, 10 Aug 2012 07:42:42 -0700
From: William Mills <wmills_92105@yahoo.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <283C0846-4D26-4B3B-AD6D-7F895E8AF47D@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 14:42:46 -0000




________________________________
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: William Mills <wmills_92105@yahoo.com> 
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; John Bradley <ve7jtb@ve7jtb.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Friday, August 10, 2012 12:01 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Hi Bill, 

thanks for the feedback. Let's have a look at this use case: 

You need to provide me a bit more information regarding your use case. Could you please explain 

1) Who is authenticated to whom?


wjm> the client is authenticated to the server.

2) What plaintext connection are you talking about? 

wjm> generally an HTTP connection to a webservice

3) What is the problem with encrypted connections? Is this again the "TLS has so bad performance" argument? 


wjm>  Yes, annoying but true.  This may change, but we do business with enough folks that refuse SSL that this is a real problem.

4) Since you are talking about cookies and making them more secure are you trying to come up with a general solution to better cookie security - a topic others are working on as well. 

wjm>  No, I'm pointing out the problems with a simple replayable credential like cookies as a comparison.

5) What is the threat you are concerned about? 

wjm> The vulnerability of plaintext connections: theft of credentials and tampering. 

Ciao
Hannes

PS: I would heavily argue against standardize a security mechanism that offers weaker protection than bearer when the entire argument has always been "Bearer is so insecure and we need something stronger."

On Aug 9, 2012, at 9:43 PM, William Mills wrote:

> OK, I'll play and start documenting the use cases.  
> 
> Use case #1: Secure authentication in plain text connections:
> 
> Some applications need a secure form authorization, but do not want or need the overhead of encrypted connections.  HTTP cookies and their ilk are replayable credentials and do not satisfy this need.   the MAC scheme using signed HTTP authorization credentials offer the capability to securely authorize a transaction, can offer integrity protection on all or part of an HTTP request, and can provide replay protection.
> 
> -bill
> 
> From: John Bradley <ve7jtb@ve7jtb.com>
> To: William Mills <wmills_92105@yahoo.com> 
> Cc: Dick Hardt <dick.hardt@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> 
> Sent: Thursday, August 9, 2012 11:26 AM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
> 
> In Vancouver the question was asked about the future of the MAC spec due to it no linger having a editor.
> 
> The Chair and AD indicated a desire to have a document on the use-cases we are trying to address before deciding on progressing MAC or starting a new document.
> 
> Phil Hunt is going to put together a summery of the Vancouver discussion and we are going to work on the use-case/problem description document ASAP.
> 
> People are welcome to contribute to the use-case document.
> 
> Part of the problem with MAC has been that people could never agree on what it was protecting against.  
> 
> I think there is general agreement that one or more proof mechanisms are required for access tokens.
> Security for the token endpoint also cannot be ignored. 
> 
> 
> John B.
>  
> On 2012-08-09, at 1:53 PM, William Mills wrote:
> 
>> MAC fixes the signing problems encountered in OAuth 1.0a, yes there are libraries out there for OAuth 1.0a.  MAC fits in to the OAuth 2 auth model and will provide for a single codepath for sites that want to use both Bearer and MAC.
>> 
>> From: Dick Hardt <dick.hardt@gmail.com>
>> To: William Mills <wmills_92105@yahoo.com> 
>> Cc: "oauth@ietf.org" <oauth@ietf.org> 
>> Sent: Thursday, August 9, 2012 10:27 AM
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>> 
>> 
>> On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>> 
>>> I find the idea of starting from scratch frustrating.  MAC solves a set of specific problems and has a well defined use case.  It's symmetric key based which doesn't work for some folks, and the question is do we try to develop something that supports both PK and SK, or finish the SK use case and then work on a PK based draft.
>>> 
>>> I think it's better to leave them separate and finish out MAC which is *VERY CLOSE* to being done.
>> 
>> Who is interested in MAC? People can use OAuth 1.0 if they prefer that model. 
>> 
>> For my projects, I prefer the flexibility of a signed or encrypted JWT if I need holder of key.
>> 
>> Just my $.02
>> 
>> -- Dick  
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email