Re: [OAUTH-WG] Signatures, Why?

That's what I have been thinking. Why is it important to sign the 
headers?  (I am not against signing them, but I cannot see the need in 
the specific cases we had discussed. In other words, if I had signed the 
body of the request, I probably would not care if someone changed the 
headers.)

Igor

Paul Lindner wrote:
> What about  
> http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html ? 
>
>
> That's in use and has been implemented in shindig for quite some time.
>
> That draft adds protection of the body -- I don't know of any draft 
> that covers signing the headers...
>
>
> On Mon, Mar 15, 2010 at 11:22 PM, John Panzer <jpanzer@google.com 
> <mailto:jpanzer@google.com>> wrote:
>
>     I'm confused by one "pro" for signatures:
>
>     "Protect integrity of whole request - authorization data and
>     payload when communicating over unsecure channel"
>
>     I do not believe there is an existing concrete proposal that will
>     protect the whole request, unless you add additional restrictions
>     on the request types -- e.g., only HTTP GET or POST with
>     form-encoded data variables only.
>
>     If the assertion is that signatures will actually provide
>     integrity for arbitrary HTTP request bodies as well as the URL,
>     authority, and HTTP method:   I would like to see at least one
>     concrete proposal that will accomplish this.   IIRC there's only
>     one that I think is possibly implementable in an interoperable
>     way, and it supports only JSON payloads.  In other words, anyone
>     using body signing would need to wrap their data in JSON to do it.
>      (This is not necessarily the worst thing in the world, of course,
>     but it is something to be taken into account when listing pros and
>     cons.)
>
>     On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt
>     <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>         Hi all,
>
>         I composed a detailed summary at
>         http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy.
>         Please review it.
>
>         @Zachary: I also added some of your recent notes.
>
>         regards,
>         Torsten.
>
>>         I volunteer to write it up.
>>>         <hat type='chair'/>
>>>
>>>         On 3/4/10 1:00 PM, Blaine Cook wrote:
>>>           
>>>>         One of the things that's been a primary focus of both today's WG call
>>>>         and last week's call is what are the specific use cases for
>>>>         signatures?
>>>>
>>>>         - Why are signatures needed?
>>>>         - What do signatures need to protect?
>>>>
>>>>         Let's try to outline the use cases! Please reply here, so that we have
>>>>         a good idea of what they are as we move towards the Anaheim WG.
>>>>             
>>>         This was a valuable thread. Perhaps someone could write up a summary of
>>>         the points raised, either on the list or at the wiki?
>>>
>>>         Peter
>>>
>>>           
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>           
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>           
>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>   