Re: [OAUTH-WG] HTTP signing spec and nonce
Justin Richer <jricher@mit.edu> Sat, 27 February 2016 02:47 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84081B334C for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 18:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hs5z7xiOMHS5 for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 18:47:54 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F11FA1B3340 for <OAuth@ietf.org>; Fri, 26 Feb 2016 18:47:53 -0800 (PST)
X-AuditID: 1209190c-283ff7000000185e-75-56d10e58a47a
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 17.F6.06238.85E01D65; Fri, 26 Feb 2016 21:47:52 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u1R2lpOD025205; Fri, 26 Feb 2016 21:47:52 -0500
Received: from [172.27.5.37] (75-104-65-21.mobility.exede.net [75.104.65.21]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1R2lfAR028073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 26 Feb 2016 21:47:49 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_B992E04C-D34B-4E4C-884D-BB75837BCD7A"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <008201d170a4$f5216910$df643b30$@gmail.com>
Date: Fri, 26 Feb 2016 21:47:40 -0500
Message-Id: <69709F83-8D24-44DE-9A3B-D3BF8F70C201@mit.edu>
References: <008201d170a4$f5216910$df643b30$@gmail.com>
To: Brock Allen <brockallen@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKKsWRmVeSWpSXmKPExsUixG6nrhvBdzHMYONnaYsZP46yW5x8+4rN gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4Mo4eeweW8FHrYr1Dy+xNDB2qXYxcnJICJhI 7F7+lrGLkYtDSKCNSeLFim1MEM5GRokJr3+xQTinmCSOftzCDtLCLJAg8XbHcVYQm1dAT+LV rctANgeHsICxxLSPqSBhNgFVielrWphAbE4BC4lDr9uZQWwWoPiZfZfZQMqZBdQl5q6MgJhi JbHtwkMWEFtIwFzi1oKtbCC2iICaxMLp85khDpWV2P37EdMERv5ZSI6YheQIiLi2xLKFr5kh bE2J/d3LWTDFNSQ6v01kXcDItopRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83s0QvNaV0EyMo rDkleXYwnnnjdYhRgINRiYc3Y82FMCHWxLLiytxDjJIcTEqivBkfgUJ8SfkplRmJxRnxRaU5 qcWHGCU4mJVEeEOWAeV4UxIrq1KL8mFS0hwsSuK8hftPhwkJpCeWpGanphakFsFkZTg4lCR4 BXkvhgkJFqWmp1akZeaUIKSZODhBhvMADV/GA1TDW1yQmFucmQ6RP8VozPHj4L21TBxXjgJJ IZa8/LxUKXHetyClAiClGaV5cNNAqck7w1H0FaM40HPCvIEgS3mAaQ1u3iugVUxAq2ZuOAey qiQRISXVwHjW9sGz5lUM7NdfhJ3w0WZesmVpp80Wdltm/nWdDd5bJ238x584ZfppxU0PUj0X 99hem7PuewVHcYxPuPtW/Tfyp0KypRvULm1JKeL337d7atWWU/J7vn9aOdmdmXttypI5mrNa fqw5fejb6lWzDP7PDgh/f12hqfTvQs7S1y8/fOy7cCWs/au/EktxRqKhFnNRcSIAjuOkWigD AAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IBQ_IN81BHV5upXEQo4oHl-f-kw>
Cc: "<oauth@ietf.org>" <OAuth@ietf.org>
Subject: Re: [OAUTH-WG] HTTP signing spec and nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2016 02:47:56 -0000
I’d be glad to add in a nonce if there’s a compelling reason for it, such as closing a security attack vector. What’s the proposed purpose of the nonce? Is it just to add randomness to the signing base? Or is it to prevent replay at the RS? If the former, the timestamp should add enough of that and it can be verified to be within a reasonable window by the RS by comparing it with the time the request was made. If the latter, the RS is going to have to track previously used nonces for some amount of time. There was a small discussion of just signing an outgoing “Date:” header instead of the separate timestamp, but the timestamp seemed to be more robust. I forget the full reasoning though. — Justin > On Feb 26, 2016, at 9:49 AM, Brock Allen <brockallen@gmail.com> wrote: > > Question about the HTTP signing spec – why is there no nonce (and just a timestamp)? > > TIA > > -Brock > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] HTTP signing spec and nonce Brock Allen
- Re: [OAUTH-WG] HTTP signing spec and nonce Justin Richer
- Re: [OAUTH-WG] HTTP signing spec and nonce Dominick Baier
- Re: [OAUTH-WG] HTTP signing spec and nonce Justin Richer
- Re: [OAUTH-WG] HTTP signing spec and nonce Samuel Erdtman