IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

Antonio Sanso <asanso@adobe.com> Thu, 28 February 2013 10:37 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA94821F8B7D for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 02:37:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j60VtvZ8lBHO for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 02:37:55 -0800 (PST)
Received: from exprod6og121.obsmtp.com (exprod6og121.obsmtp.com [64.18.1.237]) by ietfa.amsl.com (Postfix) with ESMTP id E9F5721F8AB4 for <oauth@ietf.org>; Thu, 28 Feb 2013 02:37:48 -0800 (PST)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob121.postini.com ([64.18.5.12]) with SMTP ID DSNKUS8zfJ7Bz9AJWMYWvNFockZHxVuXAkLR@postini.com; Thu, 28 Feb 2013 02:37:54 PST
Received: from inner-relay-1.corp.adobe.com (inner-relay-1.sea.adobe.com [153.32.1.51]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r1SAbknT019876; Thu, 28 Feb 2013 02:37:47 -0800 (PST)
Received: from nahub01.corp.adobe.com (nahub01.corp.adobe.com [10.8.189.97]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r1SAbkAV016733; Thu, 28 Feb 2013 02:37:46 -0800 (PST)
Received: from eurhub01.eur.adobe.com (10.128.4.30) by nahub01.corp.adobe.com (10.8.189.97) with Microsoft SMTP Server (TLS) id 8.3.298.1; Thu, 28 Feb 2013 02:37:46 -0800
Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurhub01.eur.adobe.com ([10.128.4.30]) with mapi; Thu, 28 Feb 2013 10:37:44 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Thu, 28 Feb 2013 10:37:44 +0000
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
Thread-Index: Ac4Vn6RT73QpgH4KReGKXzvRaa9TYA==
Message-ID: <98272BAD-131B-4151-BBB8-0937E8D6781A@adobe.com>
References: <20130225124642.7425.65145.idtracker@ietfa.amsl.com> <1361956373.9883.YahooMailNeo@web31807.mail.mud.yahoo.com> <21030204-8EA7-4FB0-9DD3-2B6C8CA57E02@gmx.net>
In-Reply-To: <21030204-8EA7-4FB0-9DD3-2B6C8CA57E02@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 10:37:55 -0000

Hi Hannes,

apologies if I do the same question again but there is still one point that is a little obscure to me.

As long I did understand the situation for MAC is the following one.

The communication between the client and the authentication server must be https but this is not true for the communication between authentication server and resource server.
Hence the need of this key exchange.

Is it correct? Should be the case why we do not have the same problem in the JWT Bearer case? Is because in that case https is as well mandatory between authentication server and resource server?

Thanks a lot and regards

Antonio


On Feb 28, 2013, at 11:28 AM, Hannes Tschofenig wrote:

> Hi Bill, 
> 
> I believe you are misreading the document. In draft-ietf-oauth-v2-http-mac the client still uses the MAC when it accesses a protected resource. 
> The only place where the JWT comes into the picture is with the description of the access token. This matters from a key distribution point of view. The session key for the MAC is included in the encrypted JWT. The JWT is encrypted by the authorization server and decrypted by the resource server. 
> 
> Information about how header fields get included in the MAC is described in Section 5.
> 
> The nonce isn't killed it is just called differently: seq-nr. The stuff in the original MAC specification actually wasn't a nonce (from the semantic point of view). 
> The extension parameter is there implicitly by allowing additional header fields to be included in the MAC computation.
> 
> I need to look at the port number field again. 
> 
> Ciao
> Hannes
> 
> On Feb 27, 2013, at 11:12 AM, William Mills wrote:
> 
>> Just read the draft quickly.  
>> 
>> Since we're now leaning on JWT do we need to include the token in this?  Why not just make an additional "Envelope MAC" thing and have the signature include the 3 JWT parts in the signature base string?  That object then just becomes a JSON container for the kid, timestamp, signature method, signature etc. That thing then is a 4th base64 encoded JSON thing in the auth header.
>> 
>> How header fields get included in the signature needs definition.
>> 
>> Why did you kill the port number, nonce, and extension parameter out of the signature base string?
>> 
>> The BNF appears to have no separators between values.
>> 
>> -bill
>> 
>> 
>> From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
>> To: i-d-announce@ietf.org 
>> Cc: oauth@ietf.org 
>> Sent: Monday, February 25, 2013 4:46 AM
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>> 
>>    Title          : OAuth 2.0 Message Authentication Code (MAC) Tokens
>>    Author(s)      : Justin Richer
>>                          William Mills
>>                          Hannes Tschofenig
>>    Filename        : draft-ietf-oauth-v2-http-mac-03.txt
>>    Pages          : 26
>>    Date            : 2013-02-25
>> 
>> Abstract:
>>  This specification describes how to use MAC Tokens in HTTP requests
>>  to access OAuth 2.0 protected resources.  An OAuth client willing to
>>  access a protected resource needs to demonstrate possession of a
>>  crytographic key by using it with a keyed message digest function to
>>  the request.
>> 
>>  The document also defines a key distribution protocol for obtaining a
>>  fresh session key.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac
>> 
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-03
>> 
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-http-mac-03
>> 
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email