Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
John Panzer <jpanzer@google.com> Fri, 24 September 2010 16:21 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB8C63A6B8D for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.382
X-Spam-Level:
X-Spam-Status: No, score=-104.382 tagged_above=-999 required=5 tests=[AWL=1.595, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFstrQZ3phj0 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:21:26 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2771E3A6AB1 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:25 -0700 (PDT)
Received: from hpaq12.eem.corp.google.com (hpaq12.eem.corp.google.com [172.25.149.12]) by smtp-out.google.com with ESMTP id o8OGLv4p030805 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:57 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285345317; bh=QEmUhru7pM9uNBzOqeGtARBb4YU=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=efB3WAISgaFteu1rTe4OP1424zgYD/g0CXFMsL8QMwx3ksaUdLJAsGHUaB2Uv4LVR ormTzpj9+6umOf9kPJWNg==
Received: from pwi8 (pwi8.prod.google.com [10.241.219.8]) by hpaq12.eem.corp.google.com with ESMTP id o8OGLtPS018801 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:56 -0700
Received: by pwi8 with SMTP id 8so1091694pwi.13 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=c5vC/JoxJi1Q2zJcN9C8raXft+vzLfEL6nZouazadQg=; b=NihlGtMueuOHawundgqiqIeYFiun1Msol8ybICLE48ucN32FWi8smf4a9xos68HQgx oifCfdbIVrHzqZbKxblQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=K7I2+LQM48CZjb7fC1qxk/1aHFjWCnsZJ9F83hDJyWzIXSJFACGWp/uvLKw2RrvjGs SjipMccYhC0nLtppNtBA==
Received: by 10.142.186.1 with SMTP id j1mr2901753wff.164.1285345314416; Fri, 24 Sep 2010 09:21:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Fri, 24 Sep 2010 09:21:34 -0700 (PDT)
In-Reply-To: <51097F4B-C0C7-499E-BB51-C55E55D2291A@hueniverse.com>
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <51097F4B-C0C7-499E-BB51-C55E55D2291A@hueniverse.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 24 Sep 2010 09:21:34 -0700
Message-ID: <AANLkTin7CK=pF22YAAGNA7sibT=mEb=0fo=VBWqytUeC@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="000e0cd215eae12a3e049103c620"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:21:28 -0000
On Fri, Sep 24, 2010 at 9:06 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > Validating the signed data delivered with the request is as much magic as > the current 1.0 approach. Go write the validation rules and see. > Done that (for the specific case of Salmon). The only trick is to write the code so that if the message were delivered via a note tied to a rock thrown through your window, it would have the same security properties as the ones delivered via HTTP. This is very amenable to static analysis. Is there a specific attack vector that we could discuss that you're worried about? > > I'm getting really tired of this argument because it is not grounded in > reality. Any attempt to compare the HTTP request to what was signed, whether > it is sent with the request or not, is as difficult. Sending the signed data > just makes it easier for the server to make bad assumptions and be flexible > in an insecure way. > > EHL > > On Sep 24, 2010, at 10:51, "Justin Richer" <jricher@mitre.org> wrote: > > >>> I think that any signature method that we end up using needs to rely > >>> less on magic and anecdote and more on explicit declaration. > >> > >> This is certainly correct ... > >> > >> > >>> I think > >>> that Brian Eaton's approach of sending the bare string that was > >>> signed, > >>> which was also a JSON element that could be parsed and validated, > >>> was an > >>> essential simplification. > >> > >> ... but this does not follow. The signer can specify what was signed > >> without sending the data... > >> > >>> Even OpenID states which of the parameters on > >>> the request were signed, which makes it easier to validate. > >> > >> ... as in this pattern. There are some other examples of elements of > >> the signed object being conditionally included: > >> 1. HTTP Digest authentication [1] > >> 2. The IKEv2 key exchange messages [2] > > > > And I'm marginally OK with either pattern, though I think that the > > former is a much cleaner way to do it. I believe either case to be > > worlds better than the OAuth 1.0 method, which has caused countless > > problems. I actually had to help someone debug between sending that > > first email and this one, so I can attest that the problem has not gone > > away! :) > > > >> As has been pointed out before, there is a security risk in sending > >> the signed request data itself (as opposed to metadata that allows the > >> recipient to reconstruct the data), because the recipient can choose > >> not to verify the binding between the signed data and the request. > > > > Yes, there is certainly a risk if someone just checks the signature and > > does not verify the content of the message. This is a bad implementation > > of an authorization system, to be sure, and it's an issue that people > > need to be aware of. But simply signing metadata doesn't completely > > solve the problem, either. In both cases there can be parameters that > > are outside of the signed request that need to be checked and treated > > appropriately. > > > > -- Justin > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes