IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Brian Eaton <beaton@google.com> Tue, 01 December 2009 00:14 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD8963A69EB for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 16:14:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG7LtUUNm-Dx for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 16:14:49 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 611663A6898 for <oauth@ietf.org>; Mon, 30 Nov 2009 16:14:49 -0800 (PST)
Received: from wpaz24.hot.corp.google.com (wpaz24.hot.corp.google.com [172.24.198.88]) by smtp-out.google.com with ESMTP id nB10EeYj013383 for <oauth@ietf.org>; Tue, 1 Dec 2009 00:14:40 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259626480; bh=wt7SRS0zbYgiRBuv4ZxEpEbKDes=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=hIi5A08g4sjQdOkwIjz/sx8xzG4+GL6wDw2vZ5jIZtU9YeRVDusPcp9CdId9p0oBo tSjqKwmbHLgB5aYhM1Gzw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=YqWAKBJCzxIlXXsxBcwV3/c+wvquIIkhukcjkiMY+wlRYNrkKINutn0paDUxkE98d 8YdwKaVJwMVBnQQTGaMOw==
Received: from pwi6 (pwi6.prod.google.com [10.241.219.6]) by wpaz24.hot.corp.google.com with ESMTP id nB10ES3n013622 for <oauth@ietf.org>; Mon, 30 Nov 2009 16:14:37 -0800
Received: by pwi6 with SMTP id 6so2282574pwi.29 for <oauth@ietf.org>; Mon, 30 Nov 2009 16:14:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.202.20 with SMTP id z20mr348405rvf.28.1259626477052; Mon, 30 Nov 2009 16:14:37 -0800 (PST)
In-Reply-To: <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de> <daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com>
Date: Mon, 30 Nov 2009 16:14:36 -0800
Message-ID: <daf5b9570911301614u1394e71cw8ef913cae7e5b21@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Mike Malone <mjmalone@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 00:14:50 -0000

On Mon, Nov 30, 2009 at 2:32 PM, Mike Malone <mjmalone@gmail.com> wrote:
> If we were coming up with a more secure replacement for browser-based
> HTTP basic auth (and looking at Aza Raskin's work with identity in
> Firefox, OAuth in the browser doesn't appear to be that far off) would
> you want to mandate that all auth'd HTTP traffic use TLS? Not sure if
> the answer is yes or no, but I'm guessing many of the
> advantages/drawbacks will be the same.

We should be really cautious about claiming that *anything* we do
replaces TLS.  I've seen at least one academic paper criticizing OAuth
on the basis that OAuth was designed to be secure in the absence of
TLS, yet doesn't actually achieve that goal.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email