Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Skylar Woodward <skylar@kiva.org> Mon, 07 February 2011 16:36 UTC
Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CD883A6D7D for <oauth@core3.amsl.com>; Mon, 7 Feb 2011 08:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lf5t-sS85TBD for <oauth@core3.amsl.com>; Mon, 7 Feb 2011 08:36:14 -0800 (PST)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) by core3.amsl.com (Postfix) with SMTP id 757A73A6959 for <oauth@ietf.org>; Mon, 7 Feb 2011 08:36:05 -0800 (PST)
Received: from source ([74.125.82.179]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKTVAfeSxSUXaWNWBl6fvZYRwkUA+NArXS@postini.com; Mon, 07 Feb 2011 08:36:10 PST
Received: by wyi11 with SMTP id 11so4598712wyi.10 for <oauth@ietf.org>; Mon, 07 Feb 2011 08:36:08 -0800 (PST)
Received: by 10.227.132.149 with SMTP id b21mr5346465wbt.48.1297096567908; Mon, 07 Feb 2011 08:36:07 -0800 (PST)
Received: from [10.0.1.4] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id w25sm3493655wbd.11.2011.02.07.08.36.05 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 07 Feb 2011 08:36:06 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 07 Feb 2011 17:36:04 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2CA0EEE5-B3A9-4276-9BAC-D48880845DA1@kiva.org>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2011 16:36:15 -0000
A couple of editorial notes: 3.2 has a mismatch of parameters between the example and the text (eg, "using access token j92fsdjf094gjfdi,..." where h480djs93hd8 from 1.1 is used in the example). The timestamp and nonce are also mismatched, though bodyhash seems correct. As a result, the signature is invalid for the example. 3.3.1 gives an example of a request but doesn't provide the secret or a signature. It's not necessary here, but adding a valid Authentication header for this line as well as "using.... secret...algorithm" statement gives implementors more information to validate their work against the spec. Adding the algorithm for the token/secret would also inform the method implied (sha1) for the body hash in this example. If these two issues are resolved, the spec gives 3 clear examples (eg, test case) for implementors to confirm their understanding of the signature process. It's a valuable side-effect with very little effort or distraction. skylar On Jan 22, 2011, at 2:09 AM, Eran Hammer-Lahav wrote: > http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 > > New version includes the following changes: > > o Added body-hash support. > o Updated OAuth 2.0 reference to -12 and added token type registration template. > o Removed error and error URI attributes (codes were just a duplication of the HTTP status codes). > > Feedback would be greatly appreciated. > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Michael D Adams
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav