IETF Logo Mail Archive

Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme

Mark Nottingham <mnot@mnot.net> Sun, 20 November 2011 21:34 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28D0F21F854D for <oauth@ietfa.amsl.com>; Sun, 20 Nov 2011 13:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.441
X-Spam-Level:
X-Spam-Status: No, score=-105.441 tagged_above=-999 required=5 tests=[AWL=-2.842, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wLlxNJeSfhJ for <oauth@ietfa.amsl.com>; Sun, 20 Nov 2011 13:34:51 -0800 (PST)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 7390521F8548 for <oauth@ietf.org>; Sun, 20 Nov 2011 13:34:51 -0800 (PST)
Received: from mnot-mini.mnot.net (unknown [118.209.190.198]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 688EE509DB; Sun, 20 Nov 2011 16:34:44 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735EDFD@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 21 Nov 2011 08:34:40 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <29DF95E3-1E07-433C-B67A-6A8C044B5F9D@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net> <90C41DD21FB7C64BB94121FBBC2E7234526735EDFD@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2011 21:34:52 -0000

It sounds like it's specifying *almost* the same thing, but in a different way. Why is there friction? Is it fashion, NIH or something more substantial?

Cheers,


On 20/11/2011, at 4:08 AM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: Mark Nottingham [mailto:mnot@mnot.net]
>> Sent: Tuesday, May 31, 2011 4:57 PM
> 
>> The "normalized request string" contains the request-URI and values
>> extracted from the Host header. Be aware that intermediaries can and do
>> change these; e.g., they may change an absolute URI to a relative URI in the
>> request-line, without affecting the semantics of the request. See [1] for
>> details (it covers other problematic conditions too).
>> 
>> It would be more robust to calculate an effective request URI, as in [2].
>> [2] http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.3
> 
> Using the effective request URI has proved to be a significant point of friction in OAuth 1.0. I would rather note that intermediaries can change the request URI and that the server must reverse those changes based on what the values should have been if they were received from the client directly.
> 
> EHL

--
Mark Nottingham   http://www.mnot.net/

v2.35.0 | Report a Bug | By Email | System Status