IETF Logo Mail Archive

Re: [OAUTH-WG] signatures, v2

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 18 July 2010 15:19 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCD813A6934 for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:19:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYdSEzTfsxx8 for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:19:58 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) by core3.amsl.com (Postfix) with ESMTP id BFE0C3A6926 for <oauth@ietf.org>; Sun, 18 Jul 2010 08:19:57 -0700 (PDT)
Received: from p4ffd3f9f.dip.t-dialin.net ([79.253.63.159] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OaVez-0000EB-MA; Sun, 18 Jul 2010 17:20:09 +0200
Message-ID: <4C431BA3.2000907@lodderstedt.net>
Date: Sun, 18 Jul 2010 17:20:03 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Dirk Balfanz <balfanz@google.com>
References: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
In-Reply-To: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040105000905070104040108"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] signatures, v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2010 15:19:59 -0000

Hi Dirk,

I have some questions concerning your proposal:

- As far as I understand, the difference to "magic signatures" lays in 
the usage of a JSON token carrying issuer, not_before, not_after and 
audience. While such properties are important for security tokens 
(assertions), I cannot see an advantage of using this format for 
signatures of HTTP requests. Would you please explain?

- Key management
 From my point of view, your proposal does cover key management for web 
applications using RSA signatures. What about web applications intending 
to sign resource server requests using HMAC (for performance reasons)? 
Do they need to exchange secrets with the resource server?

What about installed applications (mobile, desktop, set top boxes, 
gaming devices)?
  1) RSA: Do they need to provide their public key on a web server? This 
would be an additional requirement for such applications.
  2) HMAC: Same as for web apps, but even harder because either (a) the 
installed app has a static secret burned
into source code or (b) it needs to use a protocol for dynamic key 
management the resource server has to implement. Is this the plan?

Remark on 
(https://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4):
"To obtain an HMAC verification key, the client has to exchange, in an 
out-of-band fashion, shared keys with the issuer."

I assume "client" should be "verifier", shouldn't it?

regards,
Torsten.

Am 16.07.2010 02:43, schrieb Dirk Balfanz:
> Hi guys,
>
> after reading through the feedback, we did a pass over the OAuth 
> signature proposals.
>
> As a reminder, there are three documents:
>
> - a document (called "JSON Tokens") that just explains how to sign 
> something and verify the signature:
> http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4
>
> - an extension of JSON Tokens that can be used for signed OAuth tokens:
> http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU
>
> - a different extension of JSON Tokens that can be used whenever the 
> spec calls for an "assertion":
> http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc
> (When used in the assertion flow, this last token can also be used to 
> do "2-legged" OAuth)
>
> A summary of the (scant) changes:
>
> - we spelled out what we mean by RSA-SHA256.* Ben Laurie *- can you 
> double-check that that sounds good?
> - we decided on unpadded websafe-base64 throughout.
> - some changes to parameter names.
> - some small changes I might be forgetting now...
>
> As explained in my message to the previous thread, there is still no 
> envelope in there to help with encrypted tokens (b/c we don't 
> understand well enough what the envelopes for encrypted tokens would 
> look like).
>
> One question: What's the deal with having the signature go first? If 
> you can explain to me why that is a good idea, I'm happy to oblige.
>
> Cheers,
>
> Dirk & Marius.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email