Re: [OAUTH-WG] why are we signing?

Brian Eaton <beaton@google.com> Tue, 10 November 2009 05:58 UTC

DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=IA1hIdDipEdYUsO1EqpwLJ2KPDRc1HhCfB+r0CIFYYJw1QtZnsLtcXOdIAYPeqtq4 QOEz/ZVpUTCebXY9iO5ZA==
MIME-Version: 1.0
In-Reply-To: <35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net>
Date: Mon, 09 Nov 2009 21:58:28 -0800
Message-ID: <daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: John Kemp <john@jkemp.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] why are we signing?
Precedence: list

On Mon, Nov 9, 2009 at 6:28 AM, John Kemp <john@jkemp.net> wrote:
> If we are only interested in i) [authenticating the entity] then signing any piece of the message might
> be sufficient. If we are interested in ii) [binding the signature to the message] (or some other security property)
> then we will need to identify which pieces of the message we want to provide
> that, or other, security properties for.

OK, let me try to summarize what I've heard on this thread about the
different use-cases for message signing:

- sign the HTTP request
  Used to prevent MITM from replaying token to a different URL.  Also
limits the replay attack window to minutes instead of hours.

- sign various other parts of the message
   DKIM: signs various message headers
   SIP: unspecified, just says "relevant parts of SIP request"
   XMPP: signs from, to, and purpose of message (roughly)
   OpenSocial: signs identity parameters
   Simple Web Tokens: signs identity parameters

XMPP and OpenSocial both needed to invent their own signature base
string logic in order to reuse OAuth, and I strongly suspect that the
SIP folks will need to do the same.

Several of those applications involve legitimate proxies that
legitimately munge certain parts of the message, and are supposed to
leave other parts untouched.

Cheers,
Brian

[OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Chris Messina
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
Re: [OAUTH-WG] why are we signing? John Kemp
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Igor Faynberg
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Brian Eaton
[OAUTH-WG] OAuth WRAP Dick Hardt
Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
Re: [OAUTH-WG] OAuth WRAP John Panzer
Re: [OAUTH-WG] OAuth WRAP Dick Hardt
Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
Re: [OAUTH-WG] OAuth WRAP Dick Hardt
Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
Re: [OAUTH-WG] OAuth WRAP John Panzer
Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? BeckW
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
Re: [OAUTH-WG] OAuth WRAP Chris Messina
Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] OAuth WRAP Brian Eaton
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Mike Malone
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Mike Malone
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? Mike Malone
Re: [OAUTH-WG] why are we signing? George Fletcher
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? Brian Eaton
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Stephen Farrell
Re: [OAUTH-WG] why are we signing? Prateek Mishra
Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
Re: [OAUTH-WG] why are we signing? Richard Barnes
Re: [OAUTH-WG] why are we signing? Mike Malone
Re: [OAUTH-WG] why are we signing? John Panzer
Re: [OAUTH-WG] why are we signing? Dick Hardt
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
[OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
Re: [OAUTH-WG] why are we signing? Stephen Farrell
Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
[OAUTH-WG] multi-level delegation Vrancken Bart bv
Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)