IETF Logo Mail Archive

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

Skylar Woodward <skylar@kiva.org> Tue, 08 February 2011 08:57 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17F123A6CC1 for <oauth@core3.amsl.com>; Tue, 8 Feb 2011 00:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3-2-Q7WGSsg for <oauth@core3.amsl.com>; Tue, 8 Feb 2011 00:57:01 -0800 (PST)
Received: from na3sys010aog109.obsmtp.com (na3sys010aog109.obsmtp.com [74.125.245.86]) by core3.amsl.com (Postfix) with SMTP id E74323A6CB9 for <oauth@ietf.org>; Tue, 8 Feb 2011 00:57:00 -0800 (PST)
Received: from source ([74.125.82.46]) (using TLSv1) by na3sys010aob109.postini.com ([74.125.244.12]) with SMTP ID DSNKTVEFYjmrdUVOgd9d5P8aM1mBKn/k7wcN@postini.com; Tue, 08 Feb 2011 00:57:07 PST
Received: by wwj40 with SMTP id 40so6266266wwj.27 for <oauth@ietf.org>; Tue, 08 Feb 2011 00:57:05 -0800 (PST)
Received: by 10.227.156.76 with SMTP id v12mr17072650wbw.177.1297155425112; Tue, 08 Feb 2011 00:57:05 -0800 (PST)
Received: from [10.0.1.4] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id x1sm4196125wbh.20.2011.02.08.00.57.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 00:57:04 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A90BFDDA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 08 Feb 2011 09:57:02 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <8B90B5BF-913C-402C-8A51-757B93EFD108@kiva.org>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <5A4C1B6B-7D51-4D12-A468-5A5991D72DCB@kiva.org> <90C41DD21FB7C64BB94121FBBC2E723445A90BFDDA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2011 08:57:02 -0000

On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote:
> This authentication method comes with well understood security properties. By making query parameters optional because of developer ease, providers will be giving up an important part of the protection this protocol offers. This is especially true for the majority of APIs where query parameters are critical to the request integrity.

Is the same then not true of content body? Why require one and not the other? Either you trust providers to decide when the content/parameter portions of a request (or an API) are critical to request integrity, or you don't.

With that argument  you should just require a body hash and be done with it. What's the argument to make it an optional part of the base string?

v2.23.0 | Report a Bug | By Email