IETF Logo Mail Archive

Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

William Mills <wmills_92105@yahoo.com> Fri, 10 August 2012 15:59 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E464221F86C8 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 08:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWHWTVisXqZ8 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 08:59:30 -0700 (PDT)
Received: from nm21-vm0.bullet.mail.bf1.yahoo.com (nm21-vm0.bullet.mail.bf1.yahoo.com [98.139.213.137]) by ietfa.amsl.com (Postfix) with ESMTP id 067B621F86A0 for <oauth@ietf.org>; Fri, 10 Aug 2012 08:59:29 -0700 (PDT)
Received: from [98.139.212.144] by nm21.bullet.mail.bf1.yahoo.com with NNFMP; 10 Aug 2012 15:59:29 -0000
Received: from [98.139.212.220] by tm1.bullet.mail.bf1.yahoo.com with NNFMP; 10 Aug 2012 15:59:29 -0000
Received: from [127.0.0.1] by omp1029.mail.bf1.yahoo.com with NNFMP; 10 Aug 2012 15:59:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 367207.11091.bm@omp1029.mail.bf1.yahoo.com
Received: (qmail 16064 invoked by uid 60001); 10 Aug 2012 15:59:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1344614368; bh=lnzbO1vLi5vgwW2PEXZpDY0ydNyByXPxaVdmDicAUEA=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=yTS0QEIKjnBplh5IqPwBi2AwqB/1K0kGi/7E7tO8JifkEjinBTg9SGwb/DXA+GTHqM8TIeUlm32Ed29bAyCUx8WKn+Gakbc70bC5CU0Jz1qAk2GlKYHWwHKdSjIQgtpdmkzasrQ1aNTvPqAwzTxUMilVKXuQI0jgSawsKNHt0DE=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=uBbL8kWHZuImq69iPt4yn8LQk/maItcZxqEbj4qB5kqvs6EF2Cq3dGnPnI6IklHVyNy2DXJkUTVuCRPgKoh+wisnz6THNGK9SecWxZVXO3aN97Njjvfn02i04IXc2fWy60DG4+5uq45J9UFpaaLwRpezHK7hgFomONHMA5ViweI=;
X-YMail-OSG: hT5uIscVM1m0r9KoI_S_FjdqLeINUlNUYOlL_Qvw78VCf09 gubRiihrD1PX7HVQuYqf3TFYoOQZl7De5FS8NWl3tlcaiAkCZkSHonFOxXSP KlR74DF3CfAcXPMSzfkTQp_o75QLGsYBnwsLmLM56sblbH2sD48CLu9o7PzQ fmPshhRladf4M9A8lhFA1FJsXulV9.GLdVTmuoPPEBd1jFJNWKeHmNOS0q3x gwoqboGrH.Soh1Gzg27vgcKKPZOMjMOFJBie9a.0YRGOuO0NZCy9HAYqfl4l GQLU22osD3Cak8afpwpioo9Zy4Daw52PJRsQcHALOT7eN_sOCbgyCnvQ2wU_ CQuF3VePhb.Cu1VKdjq8Hs_7bHOiNLyj4O27VUalqvlsbuhhzvRJlR0QXBRj wcqKtmNELx7sXHSRe8vz6GWZ.XQzivheTOrDGHoZlddPA1Njo4W0k3J935Ct ejWacP70.yjKgRuXdVB2m09bAFdvgIcGzp0pp7tyPBd6pkhv4NjxQePM0z_4 yezVau9jneXetd70CCEt7
Received: from [209.131.62.115] by web31813.mail.mud.yahoo.com via HTTP; Fri, 10 Aug 2012 08:59:27 PDT
X-Mailer: YahooMailWebService/0.8.121.416
References: <CAOKdZ1dzVcKBDt6CSLuHwc4NzUVd_hUMWdpJVS6=ncdJo05=UQ@mail.gmail.com> <502280D8.40708@mitre.org> <9AD4EEF7-6187-4A4F-A855-32819BCB8321@gmx.net> <5022D344.40600@mitre.org> <EEBC9705-16C0-4697-8F38-28660C3CB553@ve7jtb.com> <5023CC18.9090809@mitre.org> <1344531175.4871.YahooMailNeo@web31812.mail.mud.yahoo.com> <3940317E-948C-4909-9B8F-2689A6B8D4EB@gmail.com> <1344534823.39489.YahooMailNeo@web31801.mail.mud.yahoo.com> <5B59B739-F8E7-4F5A-A39C-8C46055D0E98@ve7jtb.com> <1344537819.41154.YahooMailNeo@web31803.mail.mud.yahoo.com> <50241165.40209@mitre.org> <9B05DBF3-59B6-4377-944A-1917F26D7FA6@alkaline-solutions.com> <1344554391.70300.YahooMailNeo@web31811.mail.mud.yahoo.com> <5FCFF09E-AA4F-48C6-9789-AED8C83B3F2B@ve7jtb.com> <1344609371.51892.YahooMailNeo@web31813.mail.mud.yahoo.com> <47A03274-9F23-40A6-B321-CB7044C0FA4B@ve7jtb.com>
Message-ID: <1344614367.16061.YahooMailNeo@web31813.mail.mud.yahoo.com>
Date: Fri, 10 Aug 2012 08:59:27 -0700
From: William Mills <wmills_92105@yahoo.com>
To: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <47A03274-9F23-40A6-B321-CB7044C0FA4B@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="767760015-315314306-1344614367=:16061"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 15:59:32 -0000

It's not intended to address anything in TLS other than the fact that we have real use cases where TLS isn't in play.  



________________________________
 From: John Bradley <ve7jtb@ve7jtb.com>
To: William Mills <wmills_92105@yahoo.com> 
Cc: David Waite <david@alkaline-solutions.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Friday, August 10, 2012 8:09 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
 

No I wasn't talking about changing TLS.  I think the TLS threat has been expressed more as people who turn verification in the client rather than any failure of the TLS protocol or certificates.

The question I was trying to get at was if any of the message signing was intended to protect against clients misconfiguring TLS or Man in the middle attacking communications with the RS or token server.

Part of the reason behind MAC has been expressed as concern that Server TLS doesn't prevent tokens from being intercepted and replayed sufficiently.   

Where TLS is used if we believe clients are properly implemented what is the signing getting us.

I think sessions without TLS and TLS terminated on the firewall need to be supported, but there the threat is clearer.

John


On 2012-08-10, at 10:36 AM, William Mills wrote:

I would say that's true in theory, but practically speaking it's not gonna happen.  You're stating we need to come up with a better method for public key than we have now for this to be widely adopted, and I don't think that's reasonable.
>
>
>If we're gonna improve on the current PKI that is SSL certificates we should do that separately.
>
>
>
>________________________________
> From: John Bradley <ve7jtb@ve7jtb.com>
>To: William Mills <wmills_92105@yahoo.com> 
>Cc: David Waite <david@alkaline-solutions.com>; "oauth@ietf.org" <oauth@ietf.org> 
>Sent: Thursday, August 9, 2012 8:47 PM
>Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
> 
>
>Bill,
>
>
>I seem to recall in Paris that client misconfiguration of TLS was a concern.
>
>
>In MAC the token secret is delivered with the token based on server TLS and HTTP basic authentication.
>
>
>If this is OK and we trust the client to do TLS server certificate verification correctly that needs to go in as one of our base assumptions.  Or conversely additional protection of the token endpoint needs to be considered for key distribution.
>
>
>John B.
>
>On 2012-08-09, at 7:19 PM, William Mills wrote:
>
>AS would still be required to be HTTPS as per the spec.
>>
>>
>>
>>________________________________
>> From: David Waite <david@alkaline-solutions.com>
>>To: oauth@ietf.org 
>>Sent: Thursday, August 9, 2012 4:02 PM
>>Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>> 
>>
>>For #1:
>>Does the use of plain HTTP to talk to protected resources provide significant value when using an AS that requires HTTPS? Or am I misunderstanding, and this use case would also include new modes for non-TLS communication with the AS?
>>
>>
>>For #2:
>>Would the signature protection just cover HTTP parameters, or would it extend to covering any request data, such as a PUT binary file? Would the integrity protection only cover requests, or would you also have integrity protection of the response?
>>
>>
>>-DW
>>
>>
>>On Aug 9, 2012, at 1:37 PM, Justin Richer <jricher@mitre.org> wrote:
>>
>>Use case #2: signature protection over plain HTTP parameters
>>>
>>>MAC gives us message-level signing in a way that doesn't require
      all the parameters to be packed into an extra structure, like
      JWT/SAML do. TLS gives no application-layer verification of
      integrity of parameters, nor does it give you the ability to know
      who presented those parameters (unless you're doing mutual TLS,
      which nobody does). MAC gives you a fairly simple way to protect
      all parameters on a call to the resource server while still
      keeping all of those parameters in their native HTTP forms.
>>>
>>>
>>>Use case #3: generic signed HTTP fetch (not directly addressed by
      MAC spec as of today)
>>>
>>>Sometimes you want to create a URL with one service, fix all of
      the parameters in that URL, and protect those parameters with a
      signature. Then that URL can be passed to an untrusted service who
      cannot modify any portion of it. Nor can they re-use the signature
      portion to protect different parameters. We do this today with a
      2-legged OAuth signature across a service URL. The "Client"
      generates the signed URLs and passes them to a user agent which
      actually does the fetch to the service.
>>>
>>>
>>> -- Justin
>>>
>>>On 08/09/2012 02:43 PM, William Mills wrote:
>>>
>>>OK, I'll play and start documenting the use cases.  
>>>>
>>>>
>>>>Use case #1: Secure authentication in plain text connections:
>>>>
>>>>
>>>>Some applications need a secure form authorization, but do not want or need the overhead of encrypted connections.  HTTP cookies and their ilk are replayable credentials and do not satisfy this need.   the MAC scheme using signed HTTP authorization credentials offer the capability to securely authorize a transaction, can offer integrity protection on all or part of an HTTP request, and can provide replay protection.
>>>>
>>>>
>>>>-bill
>>>>
>>>>
>>>>
>>>>________________________________
>>>> From: John Bradley <ve7jtb@ve7jtb.com>
>>>>To: William Mills <wmills_92105@yahoo.com> 
>>>>Cc: Dick Hardt <dick.hardt@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> 
>>>>Sent: Thursday, August 9, 2012 11:26 AM
>>>>Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>>> 
>>>>
>>>>In Vancouver the question was asked about the future of the MAC spec due to it no linger having a editor. 
>>>>
>>>>
>>>>The Chair and AD indicated a desire to have a document on the use-cases we are trying to address before deciding on progressing MAC or starting a new document.
>>>>
>>>>
>>>>Phil Hunt is going to put together a summery of the Vancouver discussion and we are going to work on the use-case/problem description document ASAP.
>>>>
>>>>
>>>>People are welcome to contribute to the use-case document.
>>>>
>>>>
>>>>Part of the problem with MAC has been that people could never agree on what it was protecting against.  
>>>>
>>>>
>>>>I think there is general agreement that one or more proof mechanisms are required for access tokens.
>>>>Security for the token endpoint also cannot be ignored. 
>>>>
>>>>
>>>>
>>>>
>>>>John B.
>>>> 
>>>>
>>>>On 2012-08-09, at 1:53 PM, William Mills wrote:
>>>>
>>>>MAC fixes the signing problems encountered in OAuth 1.0a, yes there are libraries out there for OAuth 1.0a.  MAC fits in to the OAuth 2 auth model and will provide for a single codepath for sites that want to use both Bearer and MAC.
>>>>>
>>>>>
>>>>>
>>>>>________________________________
>>>>> From: Dick Hardt <dick.hardt@gmail.com>
>>>>>To: William Mills <wmills_92105@yahoo.com> 
>>>>>Cc: "oauth@ietf.org" <oauth@ietf.org> 
>>>>>Sent: Thursday, August 9, 2012 10:27 AM
>>>>>Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>>>> 
>>>>>
>>>>>
>>>>>
>>>>>On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>>>>>
>>>>>I find the idea of starting from scratch frustrating.  MAC solves a set of specific problems and has a well defined use case.  It's symmetric key based which doesn't work for some folks, and the question is do we try to develop something that supports both PK and SK, or finish the SK use case and then work on a PK based draft.
>>>>>>
>>>>>>
>>>>>>I think it's better to leave them separate and finish out MAC which is *VERY CLOSE* to being done.
>>>>>
>>>>>Who is interested in MAC? People can use OAuth 1.0 if they prefer that model. 
>>>>>
>>>>>
>>>>>For my projects, I prefer the flexibility of a signed or encrypted JWT if I need holder of key.
>>>>>
>>>>>
>>>>>Just my $.02
>>>>>
>>>>>
>>>>>-- Dick  
>>>>>
>>>>>
>>>>>
_______________________________________________
>>>>>OAuth mailing list
>>>>>OAuth@ietf.org
>>>>>https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>_______________________________________________
OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth 
>>>
_______________________________________________
>>>OAuth mailing list
>>>OAuth@ietf.org
>>>https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>

v2.23.0 | Report a Bug | By Email