IETF Logo Mail Archive

Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

John Panzer <jpanzer@google.com> Fri, 24 September 2010 16:21 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB8C63A6B8D for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.382
X-Spam-Level:
X-Spam-Status: No, score=-104.382 tagged_above=-999 required=5 tests=[AWL=1.595, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFstrQZ3phj0 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:21:26 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2771E3A6AB1 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:25 -0700 (PDT)
Received: from hpaq12.eem.corp.google.com (hpaq12.eem.corp.google.com [172.25.149.12]) by smtp-out.google.com with ESMTP id o8OGLv4p030805 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:57 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285345317; bh=QEmUhru7pM9uNBzOqeGtARBb4YU=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=efB3WAISgaFteu1rTe4OP1424zgYD/g0CXFMsL8QMwx3ksaUdLJAsGHUaB2Uv4LVR ormTzpj9+6umOf9kPJWNg==
Received: from pwi8 (pwi8.prod.google.com [10.241.219.8]) by hpaq12.eem.corp.google.com with ESMTP id o8OGLtPS018801 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:56 -0700
Received: by pwi8 with SMTP id 8so1091694pwi.13 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=c5vC/JoxJi1Q2zJcN9C8raXft+vzLfEL6nZouazadQg=; b=NihlGtMueuOHawundgqiqIeYFiun1Msol8ybICLE48ucN32FWi8smf4a9xos68HQgx oifCfdbIVrHzqZbKxblQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=K7I2+LQM48CZjb7fC1qxk/1aHFjWCnsZJ9F83hDJyWzIXSJFACGWp/uvLKw2RrvjGs SjipMccYhC0nLtppNtBA==
Received: by 10.142.186.1 with SMTP id j1mr2901753wff.164.1285345314416; Fri, 24 Sep 2010 09:21:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Fri, 24 Sep 2010 09:21:34 -0700 (PDT)
In-Reply-To: <51097F4B-C0C7-499E-BB51-C55E55D2291A@hueniverse.com>
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <51097F4B-C0C7-499E-BB51-C55E55D2291A@hueniverse.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 24 Sep 2010 09:21:34 -0700
Message-ID: <AANLkTin7CK=pF22YAAGNA7sibT=mEb=0fo=VBWqytUeC@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="000e0cd215eae12a3e049103c620"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:21:28 -0000

On Fri, Sep 24, 2010 at 9:06 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> Validating the signed data delivered with the request is as much magic as
> the current 1.0 approach. Go write the validation rules and see.
>

Done that (for the specific case of Salmon).  The only trick is to write the
code so that if the message were delivered via a note tied to a rock thrown
through your window, it would have the same security properties as the ones
delivered via HTTP.  This is very amenable to static analysis.

Is there a specific attack vector that we could discuss that you're worried
about?


>
> I'm getting really tired of this argument because it is not grounded in
> reality. Any attempt to compare the HTTP request to what was signed, whether
> it is sent with the request or not, is as difficult. Sending the signed data
> just makes it easier for the server to make bad assumptions and be flexible
> in an insecure way.
>
> EHL
>
> On Sep 24, 2010, at 10:51, "Justin Richer" <jricher@mitre.org> wrote:
>
> >>> I think that any signature method that we end up using needs to rely
> >>> less on magic and anecdote and more on explicit declaration.
> >>
> >> This is certainly correct ...
> >>
> >>
> >>> I think
> >>> that Brian Eaton's approach of sending the bare string that was
> >>> signed,
> >>> which was also a JSON element that could be parsed and validated,
> >>> was an
> >>> essential simplification.
> >>
> >> ... but this does not follow.  The signer can specify what was signed
> >> without sending the data...
> >>
> >>> Even OpenID states which of the parameters on
> >>> the request were signed, which makes it easier to validate.
> >>
> >> ... as in this pattern.  There are some other examples of elements of
> >> the signed object being conditionally included:
> >> 1. HTTP Digest authentication [1]
> >> 2. The IKEv2 key exchange messages [2]
> >
> > And I'm marginally OK with either pattern, though I think that the
> > former is a much cleaner way to do it. I believe either case to be
> > worlds better than the OAuth 1.0 method, which has caused countless
> > problems. I actually had to help someone debug between sending that
> > first email and this one, so I can attest that the problem has not gone
> > away! :)
> >
> >> As has been pointed out before, there is a security risk in sending
> >> the signed request data itself (as opposed to metadata that allows the
> >> recipient to reconstruct the data), because the recipient can choose
> >> not to verify the binding between the signed data and the request.
> >
> > Yes, there is certainly a risk if someone just checks the signature and
> > does not verify the content of the message. This is a bad implementation
> > of an authorization system, to be sure, and it's an issue that people
> > need to be aware of. But simply signing metadata doesn't completely
> > solve the problem, either. In both cases there can be parameters that
> > are outside of the signed request that need to be checked and treated
> > appropriately.
> >
> > -- Justin
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email