IETF Logo Mail Archive

Re: [OAUTH-WG] Signatures spec proposal, take 2

"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 02:59 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 124633A69D8 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level:
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aAe5kjGQDGo for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:59:26 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 617D23A69B1 for <oauth@ietf.org>; Thu, 23 Sep 2010 19:59:26 -0700 (PDT)
Received: from [128.89.254.38] (port=59927 helo=[192.168.1.11]) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OyyVw-000865-6S; Thu, 23 Sep 2010 22:59:57 -0400
Message-Id: <89CF75F1-4A51-4B92-8305-BC7430D36F7C@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <C8C15BD3.3AC6C%eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-7--100167822"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 23 Sep 2010 22:59:53 -0400
References: <C8C15BD3.3AC6C%eran@hueniverse.com>
X-Mailer: Apple Mail (2.936)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures spec proposal, take 2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 02:59:28 -0000

Basically, this argument comes down to which validation pattern you  
prefer.

OPTION 1:
0. Input = object + signature
1. Verify match between object data and HTTP fields
2. Verify signature over the object

OPTION 2:
0. Input = signature
1. Construct object data from HTTP fields
2. Verify signature over the object

So the choice is between memcmp and memcpy :)

As Eran noted, there is some security advantage in option 2, since it  
forces the data in the signed object to correspond to the actual HTTP  
request instead of relying on the recipient to verify.  I would prefer  
that pattern, for that reason.

That's not to say that the JSON token proposal is without any  
utility.  For example, option 2 could take as input a JSON token with  
the 'data' element removed; the recipient would then reconstruct the  
'data' element from the HTTP request and verify the  token.

As an editorial note, it would be very helpful if the JSON token  
document could be made a little more stand-alone w.r.t. the Magic  
Signatures draft.  An example would also help, just to illustrate the  
overall structure of the token.

--Richard



On Sep 23, 2010, at 10:32 PM, Eran Hammer-Lahav wrote:

> First, thanks for putting this together. It provides a pretty  
> comprehensive story about the signed tokens proposal. I don’t have  
> much to add at this point to the drafts.
>
> My position, which I have expressed many times before about this  
> approach is:
>
> Any solution involving repeating the HTTP request elements in some  
> sort of envelope will require validation .In this case, you need to  
> define all the rules for validating the ‘audience’ parameter.
>
> This approach makes it too tempting for server developers to ignore  
> the HTTP request and only use the values of the ‘audience’ and  
> ‘method’ parameters. In order to validate those parameters, the  
> server needs to perform some sort of normalization (which eventually  
> leads to the same signature mismatch problems). Not looking at the  
> HTTP request will lead to security problems because it will allow  
> bypassing existing HTTP firewall rules which operate on the request  
> URI and HTTP method.
>
> As a matter of personal taste, this smells too much like SOAP. And  
> that’s a really bad thing.
>
> I am not in favor of any solution that replicates components of the  
> HTTP request within the request (as is the case here). Recent  
> experience shows that with a little help and good libraries,  
> developers can figure out how to normalize and sign an HTTP request  
> successfully, when motivated.
>
> EHL
>
>
> On 9/23/10 7:07 PM, "Dirk Balfanz" <balfanz@google.com> wrote:
>
>
>
> On Thu, Sep 23, 2010 at 6:51 PM, Eran Hammer-Lahav <eran@hueniverse.com 
> > wrote:
> In part II, how is the signature bound to the HTTP request URI? I  
> see the method and body, but not the request URI.
>
> The request URI goes in the audience parameter that's defined in  
> part I.
>
> Dirk.
>
>
> EHL
>
>
>
> On 9/23/10 3:39 PM, "Dirk Balfanz" <balfanz@google.com <http://balfanz@google.com 
> > > wrote:
>
> Hi guys,
>
> sorry it took a while, but here is an updated proposal. It's still  
> in three parts:
>
> Part I is about "JSON Tokens" that can be used for all sorts of  
> things, not just OAuth:
> http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html
>
> Part II is about how to embed an OAuth token and (some parts of) an  
> HTTP request into a JSON Token:
> http://balfanz.github.com/jsontoken-spec/draft-balfanz-signedoauth2-00.html
>
> Part III is how to use signatures instead of client secrets for  
> assertions in OAuth:
> http://balfanz.github.com/jsontoken-spec/draft-balfanz-clientassertions-00.html
>
> Diffs from the last specs are:
>
> - JSON Tokens are now just a profile of Magic Signatures, which John  
> Panzer has helpfully extended for this purpose
> - There was a vulnerability to masquerading attacks in the last  
> proposal, which is addressed in this proposal by adding a data_type  
> parameter that is part of the signature, but _not_ part of the  
> payload.
> - no more support of X.509 certs - the only supported format for  
> discovered public keys is now the Magic Key format. We'll give  
> people tools (which are quite easy to write) to convert their self- 
> signed or CA-issued certs to magic keys.
> - The specs are now formatted as I-Ds.
>
> Comments, please!
>
> Dirk.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email