IETF Logo Mail Archive

Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Dick Hardt <dick.hardt@gmail.com> Thu, 09 August 2012 22:40 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4379221F86C1 for <oauth@ietfa.amsl.com>; Thu, 9 Aug 2012 15:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.567
X-Spam-Level:
X-Spam-Status: No, score=-3.567 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5S3NuD4dIA9 for <oauth@ietfa.amsl.com>; Thu, 9 Aug 2012 15:40:02 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 3699321F86B8 for <oauth@ietf.org>; Thu, 9 Aug 2012 15:40:02 -0700 (PDT)
Received: by pbbrr4 with SMTP id rr4so1599456pbb.31 for <oauth@ietf.org>; Thu, 09 Aug 2012 15:39:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=WR7l9yOj81hxCJnMtcBqQW9bXYZJGmqejg8GqTBqRs8=; b=X6f8/z3aBUkHPj9T5+xxasG2uJseSstEsJrLE0mCGMqqwXaqYeyVmAXesHWMlhbspf HlRLGVX2rwbuXJEcl0muvRZzkICynYSM4A62HDwwVvj58LTXxletK0TlYEfkEiPRftjH +6P+ciTDj4wWiJGE6MXU/hWhVzAUtCymGubCd1USf6sgCfYnbi+kTvnaGm2qrLx7AjSK neo15107AeSCSHACFTf/NpMYcOc/Qi4oFjpX6vuzYV4jR1JEmsPzBHYGsLIl/emkA5Jw /0WtyHsk64CMTlr9ANvX2QJ83ZkzaRkx6+J533soHvjbnSm95zySm5d/XUXc5Ix//73M Qx8w==
Received: by 10.68.227.70 with SMTP id ry6mr7476723pbc.53.1344551998350; Thu, 09 Aug 2012 15:39:58 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id vc5sm1953481pbc.2.2012.08.09.15.39.51 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 09 Aug 2012 15:39:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_054B0802-F9E5-42C2-BF55-CBE7FB9D0E0E"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <1344545250.38511.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Thu, 09 Aug 2012 15:39:50 -0700
Message-Id: <A9714B10-D4A1-4894-86C3-05274E3A86ED@gmail.com>
References: <CAOKdZ1dzVcKBDt6CSLuHwc4NzUVd_hUMWdpJVS6=ncdJo05=UQ@mail.gmail.com> <502280D8.40708@mitre.org> <9AD4EEF7-6187-4A4F-A855-32819BCB8321@gmx.net> <5022D344.40600@mitre.org> <EEBC9705-16C0-4697-8F38-28660C3CB553@ve7jtb.com> <5023CC18.9090809@mitre.org> <1344531175.4871.YahooMailNeo@web31812.mail.mud.yahoo.com> <3940317E-948C-4909-9B8F-2689A6B8D4EB@gmail.com> <1344534823.39489.YahooMailNeo@web31801.mail.mud.yahoo.com> <E3386483-222B-4B71-ADD4-0E8C0C0E18ED@gmail.com> <1344545250.38511.YahooMailNeo@web31801.mail.mud.yahoo.com>
To: William Mills <wmills_92105@yahoo.com>
X-Mailer: Apple Mail (2.1278)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2012 22:40:03 -0000

Yes, sort of.

I blew two days debugging my code accessing Twitter.

We had intermittent failures. It would work for hours, and then fail for hours.

Eventually I noticed that we were calling http://api.twitter.com instead of https://api.twitter.com. Once we changed that it worked fine. 

On Aug 9, 2012, at 1:47 PM, William Mills wrote:

> Mostly it's around making sure you get the signature base string constructed right in my experience.
> 
> From: Dick Hardt <dick.hardt@gmail.com>
> To: William Mills <wmills_92105@yahoo.com> 
> Cc: Dick Hardt <dick.hardt@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> 
> Sent: Thursday, August 9, 2012 12:48 PM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
> 
> As an implementer, I have an app that accesses 10 different resources. Some are OAuth 1.0A, some are a variant of OAuth 2. All have a slightly different code path since each resource is its own beautiful snowflake. I did not use any libraries for OAuth 2. Supporting MAC would give me yet another library to integrate with.
> 
> I'd be interested in what signing problems OAuth 1.0A has. I have my own list of how writing to OAuth 1.0A is hard.
> 
> On Aug 9, 2012, at 10:53 AM, William Mills wrote:
> 
>> MAC fixes the signing problems encountered in OAuth 1.0a, yes there are libraries out there for OAuth 1.0a.  MAC fits in to the OAuth 2 auth model and will provide for a single codepath for sites that want to use both Bearer and MAC.
>> 
>> From: Dick Hardt <dick.hardt@gmail.com>
>> To: William Mills <wmills_92105@yahoo.com> 
>> Cc: "oauth@ietf.org" <oauth@ietf.org> 
>> Sent: Thursday, August 9, 2012 10:27 Aa
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>> 
>> 
>> On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>> 
>>> I find the idea of starting from scratch frustrating.  MAC solves a set of specific problems and has a well defined use case.  It's symmetric key based which doesn't work for some folks, and the question is do we try to develop something that supports both PK and SK, or finish the SK use case and then work on a PK based draft.
>>> 
>>> I think it's better to leave them separate and finish out MAC which is *VERY CLOSE* to being done.
>> 
>> Who is interested in MAC? People can use OAuth 1.0 if they prefer that model. 
>> 
>> For my projects, I prefer the flexibility of a signed or encrypted JWT if I need holder of key.
>> 
>> Just my $.02
>> 
>> -- Dick  
>> 
>> 
>> 
> 
> 
>

v2.23.0 | Report a Bug | By Email