Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
Erlend Hamnaberg <ngarthl@gmail.com> Thu, 16 February 2012 09:55 UTC
Return-Path: <ngarthl@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22AF821F8675 for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 01:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.543
X-Spam-Level:
X-Spam-Status: No, score=-3.543 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlKTgRgbF+z1 for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 01:55:54 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9535521F861E for <oauth@ietf.org>; Thu, 16 Feb 2012 01:55:53 -0800 (PST)
Received: by obbwd15 with SMTP id wd15so3175730obb.31 for <oauth@ietf.org>; Thu, 16 Feb 2012 01:55:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dBmo4Id7o0nlm9KCWQ7nd1SQmp0blVS8lz7JLdODP44=; b=LGTlcI8rvlKdoaqhWBoj2hmQ9v8ua6rHtYs9QskNIoOTT5X4dLeCc6RO9WSjwXWRan fccXSAI5Nk6z+8o6SV4wer0BU6/P0kcKBNS6t2Soo4dH+GUkBnhfHzfIF8jtI0feqyEi nJdoPJ7OKI0GzN7f967YcySfFEpViPgFR6vPc=
MIME-Version: 1.0
Received: by 10.182.2.135 with SMTP id 7mr1315890obu.78.1329386153179; Thu, 16 Feb 2012 01:55:53 -0800 (PST)
Received: by 10.182.117.70 with HTTP; Thu, 16 Feb 2012 01:55:53 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114EBBDE0DD@WSMSG3153V.srv.dir.telstra.com>
References: <20120208175209.30915.17732.idtracker@ietfa.amsl.com> <90C41DD21FB7C64BB94121FBBC2E723453AADDD3F6@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E114EBBDE0DD@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 16 Feb 2012 10:55:53 +0100
Message-ID: <CAKj3E3af64RaLLF2376ifnM6MA=YFgA-=QvUKjHpdTJ+bkpADw@mail.gmail.com>
From: Erlend Hamnaberg <ngarthl@gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="f46d044519e36dfba304b911d5f7"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 09:55:55 -0000
Comments inline: On Thu, Feb 9, 2012 at 7:51 AM, Manger, James H < James.H.Manger@team.telstra.com> wrote: > Eran, a couple of comments on the new MAC spec: > > The example (§1.1) does not seem to be correct. That is, I calculate > mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value. > I get this as well. > The example in §3.2.1 has a typo. It says "using timestamp > "264095:7d8f3e4a"", but should say "using timestamp "264095"". > > +1 > Timestamp verification (§4.1) is described as preventing replay attacks. > However, the 3 dot points that server MUST do only ensure that requests > (other than the first) are approximately fresh (assuming the first was > fresh). Of course, it is fairly obvious that the service can keep a copy of > {ts,nonce,id} tuples (while the ts is still approximately fresh) to detect > replays. > > When the ts field is defined (§3.1) it is probably worth mentioning that > the fixed point in time (epoch) chosen to calculate ts MUST remain the same > for the lifetime of the key. That is, a client app cannot pick a new epoch > each time it starts if it is using the same key across restarts. > > Personally, I would almost prefer it to say: ts is seconds since 1970 were > possible; clients without a real-time clock can choose an arbitrary epoch, > but it must remain the same for the lifetime of the key; servers SHOULD NOT > assume client clocks are well synchronized to their own. It is RECOMMENDED > that a server assumes the 1st request with a given key is fresh, and use > the ts value in that request to determine the offset between the client & > servers clocks. That offset (assumed to remain constant) can be used to > determine if subsequent requests are fresh. > > Seems reasonable. -E
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-m… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… Eran Hammer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… William Mills
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… Manger, James H
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… Erlend Hamnaberg
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… Eran Hammer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-ht… Julian Reschke