Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 16:20 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 252E03A6AE0 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:20:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.409
X-Spam-Level:
X-Spam-Status: No, score=-102.409 tagged_above=-999 required=5 tests=[AWL=0.189, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vC81aFiXHCVj for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:20:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 53F583A6A1D for <oauth@ietf.org>; Fri, 24 Sep 2010 09:20:00 -0700 (PDT)
Received: from ros-dhcp192-1-51-60.bbn.com ([192.1.51.60]:63104) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OzB0h-000IS3-R2; Fri, 24 Sep 2010 12:20:32 -0400
Message-Id: <64B7C801-DAC2-4155-AB9D-88DFF709A689@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: John Panzer <jpanzer@google.com>
In-Reply-To: <AANLkTimVM7VaU=Y3wyVnT=LMOP1uVtAeHZNCV7DPNr2w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-14--52130400"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 24 Sep 2010 12:20:31 -0400
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <BFF19F03-2B06-4C93-8CE0-2C9A6A267CE4@bbn.com> <AANLkTimVM7VaU=Y3wyVnT=LMOP1uVtAeHZNCV7DPNr2w@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:20:02 -0000
Maybe I've misunderstood the Magic Signatures proposal. I thought that the MagicSig blob actually contained the data that was signed, so that step (3) below would be unnecessary. (Note that the object in Step 2 has only field *names*, not *values*.) Including the data is the part of that scheme that causes some heartburn, since the recipient can choose not to verify the match against the original data (the HTTP request). Like I said earlier, though, Magic Signatures / JSON token could probably still be useful, as long as the signed data is reconstructed, not provided in the token. The correspondence in my example was deliberate :) --Richard On Sep 24, 2010, at 12:11 PM, John Panzer wrote: > Richard, > > I'm a bit confused because the made-up example you give below is, > essentially, what Magic Signatures does. The algorithm you present > is basically the correct one IMHO. Are you assuming that the > recipient is _also_ using the HTTP-level method and URL path for > some important security decision? > > (Note: I'm assuming it's fine to use this unverified host/path data > for tentative routing to an intended recipient, because the worst > thing a MITM attacker can possibly do is to route it to the wrong > recipient. As long as the recipient uses only signed information to > decide whether it will actually ACCEPT the data, it will be fine. > MITM attackers can always mis-route even signed messages of course, > given that firewalls etc. are not aware of signatures, so I don't > see this as a distinction.) > > -- > John Panzer / Google > jpanzer@google.com / abstractioneer.org / @jpanzer > > > > On Fri, Sep 24, 2010 at 8:26 AM, Richard L. Barnes <rbarnes@bbn.com> > wrote: > Yes, there is certainly a risk if someone just checks the signature > and > does not verify the content of the message. This is a bad > implementation > of an authorization system, to be sure, and it's an issue that people > need to be aware of. But simply signing metadata doesn't completely > solve the problem, either. In both cases there can be parameters that > are outside of the signed request that need to be checked and treated > appropriately. > > Ah, perhaps I was unclear. I didn't mean *signing* metadata, I > meant *sending* metadata. Using a completely made-up syntax: > > 1. Signer computes signature sig_val over data object: > { user_agent: "Mozilla", method: "GET" } > 2. Signer sends { signed_fields: ['user_agent', 'method'], sig: > sig_val } > 3. Recipient reconstructs data object using signed_fields > 4. Recipient verifies sig_val == sign(reconstructed_object) > > --Richard > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes