Re: [OAUTH-WG] Signature crypto

stephen.farrell@cs.tcd.ie Fri, 04 December 2009 19:44 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 302873A67FD for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 11:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLR9RHpb+lvS for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 11:44:30 -0800 (PST)
Received: from cs.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:21b:21ff:fe3a:3d50]) by core3.amsl.com (Postfix) with ESMTP id 0E7A13A672E for <oauth@ietf.org>; Fri, 4 Dec 2009 11:44:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 7D5E73E408B; Fri, 4 Dec 2009 19:44:20 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:mime-version:user-agent :reply-to:from:subject:date:references:in-reply-to:message-id :received:received:received:x-virus-scanned; s=cs; t=1259955859; bh=Pn2ymrqm4Nfa0QYhyfOdEZg1qYm/GymabikRJVnN4I4=; b=DalFNpDy9Evz MEfXLLglSAJjLIPxJVO2P055SvvENzpyYnZt7+GQi5tHPh6t0EL2lyklKPIfwAp3 WSS44VcufXDay82ZPcGTTlLBseAsST7bA1flFPJvDczb/kUtJYic78gEy3/U1dMG s4gRi+ZuDDA/5/CRmgrc39HYQOiDFQqnFUUHL2U4S04ohmx6GXoeUos2IIw3o32G Ps6ZjlygU85sl8B1pfCQL93CQED0x8Qw/V/3IEVvIXQu8YaNVV/nQ2atXX3dh9Qu vNmnXS8xnyiMDaUPZDJoFnpZMPSo5ZB01DsdYaZR6cqX51vBYEvIgvqPbQjnAz+J fqs5wrhuNw==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from cs.tcd.ie ([127.0.0.1]) by localhost (hermes.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id DteGtAYJVZHx; Fri, 4 Dec 2009 19:44:19 +0000 (GMT)
Received: from webmail.scss.tcd.ie (localhost [127.0.0.1]) by smtp.scss.tcd.ie (Postfix) with ESMTP id 8F1753E4084; Fri, 4 Dec 2009 19:44:19 +0000 (GMT)
Received: from 87.232.102.234 (SquirrelMail authenticated user sfarrel6) by webmail.scss.tcd.ie with HTTP; Fri, 4 Dec 2009 19:44:19 -0000 (GMT)
Message-ID: <a53568eae2c54017ef30e9aef7553c4f.squirrel@webmail.scss.tcd.ie>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437852936D4@P3PW5EX1MB01.EX1.SECURESER VER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343785183009@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343785293671@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041016k10366b88tb001f7700405083f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785293683@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041023y3207d801r42f01c7a0c4352bb@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234378529368A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912041037t199cc9d3rbd4d31d327f8988b@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234378529369B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <f98165700912041048s7f1f53bs27ec2b78f7f44c8b@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723437852936BC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912041112h71c0644dm8c908478dbff2e9a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723437852936D4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 04 Dec 2009 19:44:19 -0000
From: stephen.farrell@cs.tcd.ie
To: Eran Hammer-Lahav <eran@hueniverse.com>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Mailman-Approved-At: Fri, 04 Dec 2009 11:45:43 -0800
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signature crypto
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: stephen.farrell@cs.tcd.ie
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 19:44:31 -0000

I think the +1's for HMAC-SHA1 etc should be followed here.
Attempting to reflect the internals of a signature or MACing
scheme in this protocol would be a mistake.

> Are you expecting them to write a new RFC to add support for HMAC-1024?

Yes. (Not that such a beast would make much sense.)

> That's the implications of what you are suggesting. Instead, I am trying
> to define a few (1 or 2) classes of algorithms, provide well-defined
> process of them, and provide an easy registration process for new
> algorithms which fit the class.

No thanks. I'd rather not see HMAC-snakeoil widely
deployed.

> ...asymmetric shared secret ...

Excellent example. That's precisely why we want an RFC and
a proper review process.

S.