Re: [OAUTH-WG] Basic signature support in the core specification
"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 27 September 2010 01:12 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6ABBF3A6A58 for <oauth@core3.amsl.com>; Sun, 26 Sep 2010 18:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.411
X-Spam-Level:
X-Spam-Status: No, score=0.411 tagged_above=-999 required=5 tests=[AWL=-0.547, BAYES_20=-0.74, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dbdfzOXCM0P for <oauth@core3.amsl.com>; Sun, 26 Sep 2010 18:12:02 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by core3.amsl.com (Postfix) with ESMTP id 793CF3A6C0B for <oauth@ietf.org>; Sun, 26 Sep 2010 18:12:02 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.57,240,1283695200"; d="scan'208";a="12365396"
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipobni.tcif.telstra.com.au with ESMTP; 27 Sep 2010 11:12:38 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6118"; a="9553277"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipcbni.tcif.telstra.com.au with ESMTP; 27 Sep 2010 11:12:38 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) with mapi; Mon, 27 Sep 2010 11:12:37 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: OAuth WG <oauth@ietf.org>
Date: Mon, 27 Sep 2010 11:12:36 +1000
Thread-Topic: [OAUTH-WG] Basic signature support in the core specification
Thread-Index: ActcR6vm6X8YseNpRhClD4sGqLl9RABlRhWA
Message-ID: <255B9BB34FB7D647A506DC292726F6E1126BFB1574@WSMSG3153V.srv.dir.telstra.com>
References: <C8C15057.3AC64%eran@hueniverse.com> <D01C840D-BA0A-42AE-A6C4-C43E6E84C2F2@gmail.com>
In-Reply-To: <D01C840D-BA0A-42AE-A6C4-C43E6E84C2F2@gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 01:12:06 -0000
-1 to including a signature mechanism in OAuth2 core +1 to OAuth2 being clear about how it can deliver a secret key (and algorithm id etc) that can be used by a signature mechanism Firstly -- a mechanism to sign HTTP requests would be great, but should not be dependent on methods for users to delegate authority to apps, or on methods for apps to get temporary, less-privileged credentials. That is, don't make it OAuth-specific. Defining a request signing mechanism in OAuth2 core will cripple it with OAuth-specific quirks. The OAuth1 signing mechanism, for instance: uses names with "oauth_" prefixes; uses 2 keys (an apps long-term key, and the delegation-specific token key) whereas generic signing mechanisms invariable work with a single signing key; and overloads a single HTTP authentication scheme name with multiple purposes (indicating a server supports delegation, and conveying a request signature). Secondly -- there isn't just one sensible signing mechanism, so how do we pick which one is specified in OAuth2 core. An enveloping-style signature (eg magic signatures?); an OAuth1-style signature using 2 keys; a signature covering HTTP method/URI/body but not other headers; a signature covering any HTTP headers; a signature that can be encoded in a URI; a signature that also works on non-HTTP systems; a signature scheme that is efficient when the client app already has its own long-term public/private key pair... -- James Manger
- [OAUTH-WG] Basic signature support in the core sp… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Bastian Hofmann
- Re: [OAUTH-WG] Basic signature support in the cor… George Fletcher
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Doreswamy, Rangan
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… David Recordon
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Nat
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eve Maler
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Manger, James H
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… John Panzer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Mark Mcgloin
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- [OAUTH-WG] CORRECTION: Re: Basic signature suppor… Igor Faynberg
- Re: [OAUTH-WG] Basic signature support in the cor… William Mills
- Re: [OAUTH-WG] Basic signature support in the cor… Anthony Nadalin
- Re: [OAUTH-WG] CORRECTION: Re: Basic signature su… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer
- Re: [OAUTH-WG] Basic signature support in the cor… Dick Hardt
- Re: [OAUTH-WG] Basic signature support in the cor… Eran Hammer-Lahav
- Re: [OAUTH-WG] Basic signature support in the cor… Torsten Lodderstedt
- Re: [OAUTH-WG] Basic signature support in the cor… Justin Richer