Re: [OAUTH-WG] OAuth Signature
Nat <sakimura@gmail.com> Wed, 28 July 2010 04:24 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 551EE3A681C for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 21:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYXr+hMudeq4 for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 21:24:54 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id B92133A6767 for <oauth@ietf.org>; Tue, 27 Jul 2010 21:24:53 -0700 (PDT)
Received: by vws10 with SMTP id 10so4368298vws.31 for <oauth@ietf.org>; Tue, 27 Jul 2010 21:25:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:in-reply-to :mime-version:content-transfer-encoding:content-type:message-id:cc :x-mailer:from:subject:date:to; bh=BKvgCcqKRB5uCR/p8KoTojeoMsVRc4QQIwTt73uO3cE=; b=HBsOIDHfFP3sx/2Vu5zucinPjOM1GyXazaNWl0CZfdNK3fJ5IjXsJup5CrgQL0lH1P jqX0iSQhxlxmFwcvyE1vunhmK6lMMYfQoAmg60fg5fKgEBP0dT9+3Vh7b1tC0gBA/w4U I0/rYeIY4HPgh01h4WdXJvYUH1kDswBYsG15E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; b=J7/uP0QOfgdQyDq8Y+D6EZw1ahSsLxRXy9vBV/SKjrXvoC9qHib91olwaDESEVzi64 Q4IePD8vFslFGVS4WATGNrRxL1oGSUFTTfwIYwrc3+nxYjWgf/NVn+iOK8DtZicgRArL 4pOLKAZZjgUKPTma4f8Q9XBNZlkKYIlZufFys=
Received: by 10.220.122.1 with SMTP id j1mr5736077vcr.262.1280291115015; Tue, 27 Jul 2010 21:25:15 -0700 (PDT)
Received: from [172.16.217.87] ([12.157.157.133]) by mx.google.com with ESMTPS id v11sm3831673vbb.3.2010.07.27.21.25.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 27 Jul 2010 21:25:13 -0700 (PDT)
References: <AANLkTi=XYFSVeNxA43k+zYwt6yoGDtioa3kR47eaNYB+@mail.gmail.com> <AANLkTikStNbY_qQr0vivO80HRNyxMpuBtaA799CwG_n9@mail.gmail.com> <AANLkTi=uxiXSD5AQc9Ugz2j1GrLtzZB0uK5gey-mdFac@mail.gmail.com> <AANLkTimgySKrj+B5avoFmV=PgF38-wPtyKP=JW7SR_H5@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3EF903F7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3EF903F7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Mime-Version: 1.0 (iPhone Mail 8A306)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-1--811236608"
Message-Id: <48ED6E89-637C-4A3B-87EC-36C800F39552@gmail.com>
X-Mailer: iPhone Mail (8A306)
From: Nat <sakimura@gmail.com>
Date: Tue, 27 Jul 2010 21:25:54 -0700
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2010 04:24:55 -0000
If nobody does, I could since this is one of the most crucial piece that I need. =nat @ Tokyo via iPhone On 2010/07/27, at 17:36, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > Is someone going to turn this into an I-D anytime soon? > > > > EHL > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Dirk Balfanz > Sent: Tuesday, July 27, 2010 4:04 PM > To: Nat Sakimura > Cc: oauth > Subject: Re: [OAUTH-WG] OAuth Signature > > > > > > On Tue, Jul 27, 2010 at 3:35 PM, Nat Sakimura <sakimura@gmail.com> wrote: > > On Wed, Jul 28, 2010 at 1:12 AM, Dirk Balfanz <balfanz@google.com> wrote: > > > > > > On Tue, Jul 27, 2010 at 12:34 AM, Nat Sakimura <sakimura@gmail.com> wrote: > >> > >> I have a fundamental question. > >> > >> While separating signature and payload by a dot "." seems ok, > >> I still have not the answer for the question "why not make everything > >> into JSON and base64url it?". > >> > >> i.e., Right now, you are proposing: > >> > >> base64url_encode(JSON(payload,envelope)).base64url_encode(signature) > >> > >> Why not > >> > >> base64url_encode(JSON(payload,envelope,signature) > > > > You need to say what exactly the signature is over. Presumably, it's over > > some representation of the payload and envelope, but you need to specify > > exactly which representation. So in this case you would have to say > > something like "the signature is over the concatenation of the > > base64-encodings of the JSON-encodings of the payload and envelope", or > > something along those lines. If you did exactly this, then you would base-64 > > encode twice. Similar issues come up if you change the definition of what > > the signature is over slightly. > > I did not spell out my question correctly. The pseudo code was very misleading. > By "JSON()" I was meaning something similar to magic signature json encoding > or something similar because I was mainly comparing JSON Token and > Magic Signature. > Of course, that cannot be read from what I wrote. Sorry for that. > > My question is: > "why not just use a profiled/modified version of Magic Signature" > > > > I think that's a fair question - in fact, I was sort of aiming for just that. Once I get a free minute, I'll see whether there is a way to write this as an MS profile... > > > > Dirk. > > > > > I do not want to have two signature methods. > If the currently proposed signature method can be unified with magic signature, > it would be great. > > > > > >> > >> It probably is less hassle in terms of coding. (It is true that some > >> parameters gets base64url encoded twice but > > > > How is encoding things twice "less hassle"? > > > >> > >> BTW, some of the envelope parameters such as alg needs to be signed as > >> well to thwart the algorithm replacing attack. > > > > Yes, of course. Remember that in the current proposal I don't have an > > envelope - everything is in the payload. That's partly because I didn't want > > to decide what gets signed and what doesn't - everything is signed. Which in > > this case is easy (alternatively, I guess, you could just say that both the > > envelope and the payload are signed). But it gets harder when you want to > > encrypt the token. In this case you really need to leave some parts > > unencrypted (so the recipient has _some_ information on how to decrypt the > > thing) - presumably those parts would go into an envelope. > > Dirk. > > > > > >> > >> -- > >> Nat Sakimura (=nat) > >> http://www.sakimura.org/en/ > >> http://twitter.com/_nat_en > > > > > > > > -- > > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > http://twitter.com/_nat_en > >
- [OAUTH-WG] OAuth Signature Nat Sakimura
- Re: [OAUTH-WG] OAuth Signature Dirk Balfanz
- Re: [OAUTH-WG] OAuth Signature Dick Hardt
- Re: [OAUTH-WG] OAuth Signature Nat Sakimura
- Re: [OAUTH-WG] OAuth Signature Nat Sakimura
- Re: [OAUTH-WG] OAuth Signature Dirk Balfanz
- Re: [OAUTH-WG] OAuth Signature Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth Signature Nat
- Re: [OAUTH-WG] OAuth Signature Nat