IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Dick Hardt <Dick.Hardt@microsoft.com> Wed, 02 December 2009 05:51 UTC

Return-Path: <Dick.Hardt@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D08DF28C13D for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 21:51:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.51
X-Spam-Level:
X-Spam-Status: No, score=-10.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lx2Kn7xbN0qZ for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 21:51:24 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 2000628C133 for <oauth@ietf.org>; Tue, 1 Dec 2009 21:51:24 -0800 (PST)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 1 Dec 2009 21:51:42 -0800
Received: from TK5EX14MBXC101.redmond.corp.microsoft.com ([169.254.1.27]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi; Tue, 1 Dec 2009 21:51:15 -0800
From: Dick Hardt <Dick.Hardt@microsoft.com>
To: Brian Eaton <beaton@google.com>
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5EuVfSAgAED2ACAAt81AIAAASmAgABrE4CAAH1JAIABBIUAgACcJwCAAAx/gIAa2A2A//97K4CAAA8m8IACiKgAgAAC9YCAAAqUgIAAItEA
Date: Wed, 02 Dec 2009 05:51:14 +0000
Message-ID: <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com>
In-Reply-To: <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <7b35e839-f7c6-4d5d-a4fd-c9ff81679008>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ext@core3.amsl.com>" <ext@core3.amsl.com>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 05:51:24 -0000

On 2009-12-01, at 5:46 PM, Brian Eaton wrote:

> On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>>> Getting a Class 1 cert from the likes of StartSSL is easy as pie these
>>> days. IMHO there is no excuse for not deploying SSL if you care one whit
>>> about security. The problem is that too many small-scale developers (and
>>> big companies!) simply don't care.
>> 
>> Don't care, don't need that much security, don't understand it, etc. Bottom line is that requiring SSL is certain to fork this work if not done right.
> 
> Note, however, that someone who can't get SSL working and still
> deploys OAuth has basically no security against eavesdroppers or MITM
> attacks, and certainly can't expect OAuth to provide it.  The issues
> are in the token issuance phase: these organizations are sending user
> passwords and session cookies in clear text!  OAuth is the least of
> their security concerns,


If the cost of SSL outweighs the risk of a security breach, then why would a developer deploying OAuth choose to sign their messages rather then use the simpler bearer token?

Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I think that is a good question. Perhaps it should be RECOMMENDED, and deployments can make their own benefit analysis.

-- Dick

v2.23.0 | Report a Bug | By Email