Re: [OAUTH-WG] why are we signing?
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 09 November 2009 08:57 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D6D73A6B13 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 00:57:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[AWL=0.695, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T704XX02+to0 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 00:57:21 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 4EFCD3A6B0A for <oauth@ietf.org>; Mon, 9 Nov 2009 00:57:19 -0800 (PST)
Received: (qmail invoked by alias); 09 Nov 2009 08:57:44 -0000
Received: from host-18-117.meeting.ietf.org (EHLO 4FIL42860) [133.93.18.117] by mail.gmx.net (mp004) with SMTP; 09 Nov 2009 09:57:44 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19ow/FvB9Vo47DDVt4JYT1hN8mq0XjL+h+XZMW0GW bwcJxbfCA/69Zz
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Chris Messina' <chris.messina@gmail.com>, 'Eran Hammer-Lahav' <eran@hueniverse.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1bc4603e0911090000i6872f482pf1d003442aadd6be@mail.gmail.com>
Date: Mon, 09 Nov 2009 18:00:57 +0900
Message-ID: <057c01ca611b$2981e3b0$4a3e000a@nsnintra.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_057D_01CA6166.99698BB0"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcphEqzOIb3UvrDBRQ6NfBBJY9qp6wAB5Fqg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <1bc4603e0911090000i6872f482pf1d003442aadd6be@mail.gmail.com>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.5600000000000001,0.54
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 08:57:28 -0000
Hi Chris, _____ From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Chris Messina Sent: 09 November, 2009 17:00 To: Eran Hammer-Lahav Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] why are we signing? Indeed, in the beginning of OAuth, that was one of the primary drivers that lead us to the decision to sign everything - because of the non-SSL case... The OAuth signing mechanism does not sign anything, only certain parts. Signing everything was consider difficult since the complete data stream may not be available. There is also a TLS-PSK variant that would not require you to use certificates if that is considered to be the problem. While it's possibly increasingly common to expect that serious developers will go and buy an SSL cert, that may not be the case for the wider array of hobbyist types. Now, that's not to say that they are the only audience that needs to be addressed, but the idea was to make it harder for them to screw up if they leaked their API calls... Clearly it turned out that the signing bit intended to prevent against such attacks itself was too hard to implement, and so now we're having these conversations again. I rather believe that the description was difficult to understand (and hence implementers got it wrong). Once libraries are available then there is no need for application designers to worry about these issues. Ciao Hannes At least now we have more data about what the market will bear now. Anyway, that's my recollection. But it might also not be exactly the explanation for what you're looking for. Chris On Sun, Nov 8, 2009 at 11:48 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: The problem is, we are not likely to ever reach consensus on 'reasonable security'. For example, I don't find most cookie-based session systems reasonably secure without SSL/TLS. Being able to sit at a coffee shop with free wifi and a laptop and steal sessions cookies, then access people's email for the duration the cookie is valid isn't reasonable or secure. If you would like to try this approach, I would suggest adding next to each option the list of common attacks still possible under those terms. It will allow us to evaluate the added security each level of complexity brings. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Brian Eaton > Sent: Sunday, November 08, 2009 9:03 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] why are we signing? > > Hey folks - > > What are the use cases for cryptography in OAuth? Why are we signing > requests? And how much of each request do we need to sign in order to > be useful? > > As I see it, we have roughly the following menu of choices: > > 1) No signatures. > Just use bearer tokens. Use transport layer encryption to keep > those bearer tokens from leaking. > > 2) Signed tokens. > We could just sign a timestamp, rather than entire messages. > > 3) Partially signed messages. > We could sign just the request URL, or the request URL plus some > parameters. > > 4) Fully signed messages. > Sign as much of the HTTP request as possible, down to the bits of > the HTTP entity body. > > My guess is we need at least two out of those four choices (one with > bearer tokens, a la OAuth 1.0 plaintext) and another with > cryptography. But I'm not sure whether we need to sign entire > messages, or if we can get away with something simpler and still have > reasonable security. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Chris Messina Open Web Advocate Personal: http://factoryjoe.com Follow me on Twitter: http://twitter.com/chrismessina Citizen Agency: http://citizenagency.com Diso Project: http://diso-project.org OpenID Foundation: http://openid.net This email is: [ ] shareable [X] ask first [ ] private
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)