IETF Logo Mail Archive

[OAUTH-WG] why are we signing?

Brian Eaton <beaton@google.com> Mon, 09 November 2009 05:02 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6F3B3A697F for <oauth@core3.amsl.com>; Sun, 8 Nov 2009 21:02:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DbBp9HHqKP3y for <oauth@core3.amsl.com>; Sun, 8 Nov 2009 21:02:32 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id DF9BB28C0D6 for <oauth@ietf.org>; Sun, 8 Nov 2009 21:02:31 -0800 (PST)
Received: from zps35.corp.google.com (zps35.corp.google.com [172.25.146.35]) by smtp-out.google.com with ESMTP id nA952tFj014311 for <oauth@ietf.org>; Mon, 9 Nov 2009 05:02:56 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257742976; bh=1UXEhT6gfxeJyHkHT4QzHofDaq4=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=J37Muc0qAFGigRZgCWpbGFmdKSg44zbtnXXyxgjWTeuTQHyBD98JDBrHG+oYvNSsp H2X9iCY5T/tmkwL1/Q7hg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type:x-system-of-record; b=ObSJeqXnmIGEhAe3S8/TAnj56C3Glpmt6cBT4MfkMaP4TV2thTtZSXoVHrXV3x9hc jRwB06qGLgPa2UA3hllXQ==
Received: from pwi6 (pwi6.prod.google.com [10.241.219.6]) by zps35.corp.google.com with ESMTP id nA952YNu027572 for <oauth@ietf.org>; Sun, 8 Nov 2009 21:02:53 -0800
Received: by pwi6 with SMTP id 6so113824pwi.29 for <oauth@ietf.org>; Sun, 08 Nov 2009 21:02:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.174.1 with SMTP id w1mr443077rve.56.1257742973346; Sun, 08 Nov 2009 21:02:53 -0800 (PST)
Date: Sun, 08 Nov 2009 21:02:53 -0800
Message-ID: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Subject: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 05:02:33 -0000

Hey folks -

What are the use cases for cryptography in OAuth?  Why are we signing
requests?  And how much of each request do we need to sign in order to
be useful?

As I see it, we have roughly the following menu of choices:

1) No signatures.
    Just use bearer tokens.  Use transport layer encryption to keep
those bearer tokens from leaking.

2) Signed tokens.
    We could just sign a timestamp, rather than entire messages.

3) Partially signed messages.
    We could sign just the request URL, or the request URL plus some parameters.

4) Fully signed messages.
     Sign as much of the HTTP request as possible, down to the bits of
the HTTP entity body.

My guess is we need at least two out of those four choices (one with
bearer tokens, a la OAuth 1.0 plaintext) and another with
cryptography.  But I'm not sure whether we need to sign entire
messages, or if we can get away with something simpler and still have
reasonable security.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email