Re: [OAUTH-WG] signatures, v2
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 18 July 2010 15:19 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCD813A6934 for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:19:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYdSEzTfsxx8 for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:19:58 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) by core3.amsl.com (Postfix) with ESMTP id BFE0C3A6926 for <oauth@ietf.org>; Sun, 18 Jul 2010 08:19:57 -0700 (PDT)
Received: from p4ffd3f9f.dip.t-dialin.net ([79.253.63.159] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OaVez-0000EB-MA; Sun, 18 Jul 2010 17:20:09 +0200
Message-ID: <4C431BA3.2000907@lodderstedt.net>
Date: Sun, 18 Jul 2010 17:20:03 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Dirk Balfanz <balfanz@google.com>
References: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
In-Reply-To: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040105000905070104040108"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] signatures, v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2010 15:19:59 -0000
Hi Dirk, I have some questions concerning your proposal: - As far as I understand, the difference to "magic signatures" lays in the usage of a JSON token carrying issuer, not_before, not_after and audience. While such properties are important for security tokens (assertions), I cannot see an advantage of using this format for signatures of HTTP requests. Would you please explain? - Key management From my point of view, your proposal does cover key management for web applications using RSA signatures. What about web applications intending to sign resource server requests using HMAC (for performance reasons)? Do they need to exchange secrets with the resource server? What about installed applications (mobile, desktop, set top boxes, gaming devices)? 1) RSA: Do they need to provide their public key on a web server? This would be an additional requirement for such applications. 2) HMAC: Same as for web apps, but even harder because either (a) the installed app has a static secret burned into source code or (b) it needs to use a protocol for dynamic key management the resource server has to implement. Is this the plan? Remark on (https://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4): "To obtain an HMAC verification key, the client has to exchange, in an out-of-band fashion, shared keys with the issuer." I assume "client" should be "verifier", shouldn't it? regards, Torsten. Am 16.07.2010 02:43, schrieb Dirk Balfanz: > Hi guys, > > after reading through the feedback, we did a pass over the OAuth > signature proposals. > > As a reminder, there are three documents: > > - a document (called "JSON Tokens") that just explains how to sign > something and verify the signature: > http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4 > > - an extension of JSON Tokens that can be used for signed OAuth tokens: > http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU > > - a different extension of JSON Tokens that can be used whenever the > spec calls for an "assertion": > http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc > (When used in the assertion flow, this last token can also be used to > do "2-legged" OAuth) > > A summary of the (scant) changes: > > - we spelled out what we mean by RSA-SHA256.* Ben Laurie *- can you > double-check that that sounds good? > - we decided on unpadded websafe-base64 throughout. > - some changes to parameter names. > - some small changes I might be forgetting now... > > As explained in my message to the previous thread, there is still no > envelope in there to help with encrypted tokens (b/c we don't > understand well enough what the envelopes for encrypted tokens would > look like). > > One question: What's the deal with having the signature go first? If > you can explain to me why that is a good idea, I'm happy to oblige. > > Cheers, > > Dirk & Marius. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Naitik Shah
- Re: [OAUTH-WG] signatures, v2 Dick Hardt
- Re: [OAUTH-WG] signatures, v2 Torsten Lodderstedt
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Ben Laurie
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Greg Brail
- Re: [OAUTH-WG] signatures, v2 Greg Brail
- Re: [OAUTH-WG] signatures, v2 Torsten Lodderstedt
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz