IETF Logo Mail Archive

Re: [OAUTH-WG] signatures, v2

Dirk Balfanz <balfanz@google.com> Fri, 23 July 2010 18:45 UTC

Return-Path: <balfanz@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8994B3A6A10 for <oauth@core3.amsl.com>; Fri, 23 Jul 2010 11:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level:
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kU-2bz-QBpgj for <oauth@core3.amsl.com>; Fri, 23 Jul 2010 11:45:27 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 5FDBD3A6A6C for <oauth@ietf.org>; Fri, 23 Jul 2010 11:45:16 -0700 (PDT)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [172.25.149.7]) by smtp-out.google.com with ESMTP id o6NIjW7q027843 for <oauth@ietf.org>; Fri, 23 Jul 2010 11:45:32 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1279910732; bh=Qw2/k5vgCMLeO49WfAK4Bi4+L0w=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=lSF/gJFXj3uTi+Wqi2qCLommNH3GAB1/lIYj/gmV7wL0lhB/wuP7l0zWLajLu770L TZX4xhfCEOwrs6yVtxFGA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=q8NwFRn34cWUkhDHtFlsQW6KhiRTMzlZlL8zXjXDehcPQsAST53Qd8hlv89vhBeQ8 RW1uIgIKxg4+Nujjt7pmw==
Received: from iwn7 (iwn7.prod.google.com [10.241.68.71]) by hpaq7.eem.corp.google.com with ESMTP id o6NIjUrk021280 for <oauth@ietf.org>; Fri, 23 Jul 2010 11:45:31 -0700
Received: by iwn7 with SMTP id 7so589206iwn.33 for <oauth@ietf.org>; Fri, 23 Jul 2010 11:45:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.166.139 with SMTP id m11mr3897176iby.136.1279910730408; Fri, 23 Jul 2010 11:45:30 -0700 (PDT)
Received: by 10.231.130.9 with HTTP; Fri, 23 Jul 2010 11:45:30 -0700 (PDT)
In-Reply-To: <4C48BFD2.9060406@lodderstedt.net>
References: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com> <4C431BA3.2000907@lodderstedt.net> <AANLkTilBFabSRsxshSuBbzbYqwv7MzPbMq-fUBShjX9L@mail.gmail.com> <4C48BFD2.9060406@lodderstedt.net>
Date: Fri, 23 Jul 2010 11:45:30 -0700
Message-ID: <AANLkTi=5i2Big0HCv=farMtmo08UCx5zidhgjL+ADpNO@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="005045013c646e2f54048c127073"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] signatures, v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2010 18:45:29 -0000

On Thu, Jul 22, 2010 at 3:01 PM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

>
>  On Sun, Jul 18, 2010 at 8:20 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Hi Dirk,
>>
>> I have some questions concerning your proposal:
>>
>> - As far as I understand, the difference to "magic signatures" lays in the
>> usage of a JSON token carrying issuer, not_before, not_after and audience.
>> While such properties are important for security tokens (assertions), I
>> cannot see an advantage of using this format for signatures of HTTP
>> requests. Would you please explain?
>>
>
>  You mean advantage over magic signatures? It's really a similar idea -
> it's just that magic signatures as is don't quite fit the bill. For example,
> they have newlines in them:
> http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html#anchor5
>
>
> I mean, what is the reason for including issuer, not_before, not_after and
> audience into a signature?
>

If the attacker could change the audience field without invalidating the
token, then parties other than the one for which the token is intended could
be tricked into accepting it.
Similarly, if the attacker could change the not_before and not_after fields
without invalidating the token, then the attacker could re-use an old token
without detection.
I'm not sure what would happen if the issuer field was outside the signed
payload, but I'd rather be safe than sorry, and include it in the signature.


>   - Key management
>> From my point of view, your proposal does cover key management for web
>> applications using RSA signatures. What about web applications intending to
>> sign resource server requests using HMAC (for performance reasons)? Do they
>> need to exchange secrets with the resource server?
>>
>
>  Correct - I'm not saying how HMAC keys are being distributed. Presumably,
> you would use a similar system to what many platform providers use today -
> you sign up as a developer, and they give you a "developer key" (or "API
> key").
>
>
> Such a system will work for a relatively static relation between client and
> server only. Do you suggest a client should register with every resource
> server in advance?
>

I'm personally in favor of using RSA keys and not requiring registration,
but there are legitimate reasons for taking the opposite approach - for
example, resource servers might require registration because they want
developers to sign ToSs and such.


> What about dynamic clients? Suppose a client is just configured with a URL
> pointing to a PortableContacts resource. The client discovers the respective
> authz server and obtains a token. What if the client wants to sign the
> messages to the resource server?
>

I would propose to use RSA signing in this case.


>   What about installed applications (mobile, desktop, set top boxes,
>> gaming devices)?
>>
>
>  I don't think that installed apps can ever authenticate themselves (i.e.,
> prove the statement "I am a copy of the FooBar app"), so I'm not trying to
> solve that. What we _can_ do is deliver OAuth tokens to an installed app of
> the user's choice, but the server won't know who received the token - only
> the user does.
>
>
> I think we can do more. Even installed applications can use signatures to
> protect messages on transport. What about that use case? Clearly they need
> appropriate key material. The token secret  issued by the authorization
> server could server that purpose.
>

What would the purpose of that signature be? Let's look at a few
possibilities:

- "I prove that I'm really a copy of the FooBar app"? You're just not gonna
be able to do that, because client apps can't keep secrets.
- "I prove that I'm the legitimate holder of this token"? If you don't leak
the token, then presenting the token itself proves this. Use SSL if you're
worried about leaking the token in transport.
- "I prove that the request wasn't tampered with in transport."? Use SSL.

What do you think?

Dirk.


>
>
>
>>  1) RSA: Do they need to provide their public key on a web server? This
>> would be an additional requirement for such applications.
>>  2) HMAC: Same as for web apps, but even harder because either (a) the
>> installed app has a static secret burned
>> into source code or (b) it needs to use a protocol for dynamic key
>> management the resource server has to implement. Is this the plan?
>>
>>
> regards,
> Torsten.
>

v2.35.0 | Report a Bug | By Email | System Status