IETF Logo Mail Archive

Re: [OAUTH-WG] MAC Tokens body hash

Phil Hunt <phil.hunt@oracle.com> Tue, 02 August 2011 15:31 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 509B521F873D for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2011 08:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.349
X-Spam-Level:
X-Spam-Status: No, score=-3.349 tagged_above=-999 required=5 tests=[AWL=-0.751, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mci6ByIbEuv for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2011 08:31:27 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id D5FB421F873A for <oauth@ietf.org>; Tue, 2 Aug 2011 08:31:26 -0700 (PDT)
Received: from rtcsinet21.oracle.com (rtcsinet21.oracle.com [66.248.204.29]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p72FVWjh001198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Aug 2011 15:31:34 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by rtcsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p72FVUtC014173 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Aug 2011 15:31:31 GMT
Received: from abhmt107.oracle.com (abhmt107.oracle.com [141.146.116.59]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p72FVOxE006680; Tue, 2 Aug 2011 10:31:25 -0500
Received: from [192.168.1.8] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 02 Aug 2011 08:31:23 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-5--1015566488"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723450245F63D7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 02 Aug 2011 08:31:22 -0700
Message-Id: <B5B1A97C-DC72-445A-8037-D49B913105B8@oracle.com>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1312213271.20715.YahooMailNeo@web31813.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723450245F61F2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1312214803.15068.YahooMailNeo@web31801.mail.mud.yahoo.com> <62E9072B-6687-4906-9241-717D6EBD8167@oracle.com> <90C41DD21FB7C64BB94121FBBC2E723450245F63D7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: rtcsinet21.oracle.com [66.248.204.29]
X-CT-RefId: str=0001.0A090205.4E381856.00C8,ss=1,re=-2.300,fgs=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 15:31:28 -0000

Not sure I understand. How does 'app' change the issue about internal format and register?

Is it not for the user of the field to use and document its use as appropriate?  I think the text that you had for ext was just fine.

Cutting the field out, eliminates any possibility of extensibility -- and that would close a door that dead-ends the MAC design --> likely causing another MAC variant IMHO.  That may be what you are looking for. Just want to make sure that's what you intend.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2011-08-01, at 11:22 PM, Eran Hammer-Lahav wrote:

> I am going to drop both ‘bodyhash’ and ‘ext’, and instead add ‘app’. ‘app’ allows you to include any data you want. ‘ext’ without an internal format and register is just asking for trouble, and I have no intention of adding that level of complexity. There are other proposals in the IETF for full HTTP message signatures, and I’ll leave these more complex use cases to them.
>  
> If you can demonstrate actual need (with examples) of both ‘app’ and ‘ext’, I’m willing to reconsider but you can clearly accomplish the same end result with just one, application-specific parameter.
>  
> EHL
>  
> From: Phil Hunt [mailto:phil.hunt@oracle.com] 
> Sent: Monday, August 01, 2011 10:51 PM
> To: William J. Mills
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] MAC Tokens body hash
>  
> Agree.
>  
> -1 on removing the ext parameter.
>  
> Phil
>  
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
>  
> 
> 
>  
> On 2011-08-01, at 9:06 AM, William J. Mills wrote:
> 
> 
> I think the extended parameter still has use if someone extends the MAC stuff specifically, whcih the additional hash is useful for a data signature, that's off the cuff though without implementing somethign to try it out.
>  
> From: Eran Hammer-Lahav <eran@hueniverse.com>
> To: William J. Mills <wmills@yahoo-inc.com>; OAuth WG <oauth@ietf.org>
> Cc: Ben Adida <ben@adida.net>; "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>
> Sent: Monday, August 1, 2011 8:59 AM
> Subject: RE: [OAUTH-WG] MAC Tokens body hash
> 
> Would you still like to see both such app-specific payload hash AND the ext parameter? I’m thinking of taking your idea and dropping ext. This way, the application can define anything they want to put in the payload hash.
>  
> EHL
>  
> From: William J. Mills [mailto:wmills@yahoo-inc.com] 
> Sent: Monday, August 01, 2011 8:41 AM
> To: Eran Hammer-Lahav; OAuth WG
> Cc: Ben Adida; 'Adam Barth (adam@adambarth.com)'
> Subject: Re: [OAUTH-WG] MAC Tokens body hash
>  
> Instead of "body" hash why not make it a payload hash or additional hash.  The app can include a hash of data there as defined by the app, and you've reserved a spot for that.
>  
> From: Eran Hammer-Lahav <eran@hueniverse.com>
> To: OAuth WG <oauth@ietf.org>
> Cc: Ben Adida <ben@adida.net>; "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>
> Sent: Friday, July 29, 2011 6:43 PM
> Subject: [OAUTH-WG] MAC Tokens body hash
> I plan to drop support for the bodyhash parameter in the next draft based on bad implementation experience. Even with simple text body, UTF encoding has introduced significant issues for us. The current draft does not work using simple JS code between a browser and node.js even when both use the same v8 engine due to differences in the body encoding. Basically, the JS string used to send a request from the browser is not the actual string sent on the wire.
>  
> To fix that, we need to force UTF-8 encoding on both sides. However, that is very much application specific. This will not work for non-text bodies. Instead, the specification should offer a simple way to use the ext parameter for such needs, including singing headers. And by offer I mean give examples, but leave it application specific for now.
>  
> I am open to suggestions but so far all the solutions I came up with will introduce unacceptable complexity that will basically make this work useless.
>  
> EHL
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email