IETF Logo Mail Archive

[OAUTH-WG] Fwd: HTTP protocol version in MAC signatures

Phil Hunt <phil.hunt@oracle.com> Fri, 09 May 2014 03:47 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21771A01BB for <oauth@ietfa.amsl.com>; Thu, 8 May 2014 20:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.85
X-Spam-Level:
X-Spam-Status: No, score=-4.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84Kk4daTEirE for <oauth@ietfa.amsl.com>; Thu, 8 May 2014 20:47:13 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 311DB1A01C2 for <oauth@ietf.org>; Thu, 8 May 2014 20:47:13 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s493l71D023460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 9 May 2014 03:47:08 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s493l7f4015053 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Fri, 9 May 2014 03:47:07 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s493l6cu022742 for <oauth@ietf.org>; Fri, 9 May 2014 03:47:06 GMT
Received: from [25.69.96.84] (/24.114.22.64) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 08 May 2014 20:47:05 -0700
References: <CAOBb0SLV0iX3TREx0kOxvoiUUau3us6YW4jQwzFT8Vz1Aq6Miw@mail.gmail.com>
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-7302498F-6A7F-4231-9BBB-FE3D69DA09CC"
X-Mailer: iPhone Mail (11D167)
Message-Id: <9378C75B-2146-4E8D-BDD6-B4F495C52B84@oracle.com>
Date: Thu, 08 May 2014 20:47:01 -0700
To: OAuth WG <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TRqdDHmmlT1k2arO21FtvKb3hgc
Subject: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 03:47:15 -0000

Fyi

Phil

Begin forwarded message:

> From: Blair Strang <blair.strang@covata.com>
> Date: May 8, 2014 at 18:47:58 PDT
> Resent-To: hannes.tschofenig@gmx.net, jricher@mitre.org, phil.hunt@yahoo.com, wmills@yahoo-inc.com
> To: draft-ietf-oauth-v2-http-mac@tools.ietf.org
> Subject: HTTP protocol version in MAC signatures
> 
> Hi,
> 
> [Not sure if this is the right address to submit this feedback to]
> 
> Looking over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 section 5.2. "MAC Input String", it seems that the HTTP request line is used verbatim during the construction of MAC tokens.
> 
> Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it seems that HTTP proxies which run different protocol versions on each leg will break signatures. 
> 
> I would recommend removing the HTTP version from the MAC. The transport is inherently a "per hop" type of thing, while request signatures are conceptually "end to end".
> 
> I am not aware of any specific security benefits derived from including the HTTP protocol version in the MAC input string. This may be why AWS version 2 and AWS version 4 signatures do not include it.
> 
> Thanks and regards,
> 
>     Blair.
>

v2.23.0 | Report a Bug | By Email