IETF Logo Mail Archive

Re: [oauth] OAUTH Charter Proposal

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Mon, 02 February 2009 08:37 UTC

Return-Path: <oauth-bounces@ietf.org>
X-Original-To: oauth-archive@ietf.org
Delivered-To: ietfarch-oauth-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CA983A6935; Mon, 2 Feb 2009 00:37:24 -0800 (PST)
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 485803A6927 for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 00:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.375
X-Spam-Level:
X-Spam-Status: No, score=-3.375 tagged_above=-999 required=5 tests=[AWL=-1.254, BAYES_00=-2.599, WHOIS_DMNBYPROXY=0.478]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1ukDesoVjvZ for <oauth@core3.amsl.com>; Mon, 2 Feb 2009 00:37:22 -0800 (PST)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [217.115.75.234]) by core3.amsl.com (Postfix) with ESMTP id E789F3A6816 for <oauth@ietf.org>; Mon, 2 Feb 2009 00:37:21 -0800 (PST)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id n128axB9018882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 2 Feb 2009 09:36:59 +0100
Received: from demuexc025.nsn-intra.net (demuexc025.nsn-intra.net [10.159.32.12]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id n128axNX020861; Mon, 2 Feb 2009 09:36:59 +0100
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc025.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 2 Feb 2009 09:36:59 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 02 Feb 2009 10:37:44 +0200
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B45FFEFDE@FIESEXC015.nsn-intra.net>
In-Reply-To: <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [oauth] OAUTH Charter Proposal
Thread-Index: AcmFD6dr5d66USasRc2MM/+CQiYoOwAAKExQ
References: <3D3C75174CB95F42AD6BCC56E5555B45FFEE62@FIESEXC015.nsn-intra.net> <1bc4603e0902020024j71230bbr47b0b2c65b58b2b4@mail.gmail.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Chris Messina <chris.messina@gmail.com>
X-OriginalArrivalTime: 02 Feb 2009 08:36:59.0400 (UTC) FILETIME=[69E01080:01C98511]
Cc: oauth@ietf.org
Subject: Re: [oauth] OAUTH Charter Proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: oauth-bounces@ietf.org
Errors-To: oauth-bounces@ietf.org

What about the following text: 

"
Furthermore, OAuth 1.0 defines three signature methods used to protect
requests, namely PLAINTEXT, HMAC-SHA1, and RSA-SHA1. The group will work
on new signature methods and will describe the environments where
additional security requirements justify their usage. Existing signature
methods will not be modified but may be dropped as part of the backwards
compatible profiling activity.
"

Ciao
Hannes

PS: There are lots of people out there who have a strong opinion about
different algorithms and usage modes. I wouldn't be surprised to spend
some time discussing different algorithms. 

________________________________

	From: ext Chris Messina [mailto:chris.messina@gmail.com] 
	Sent: 02 February, 2009 10:24
	To: Tschofenig, Hannes (NSN - FI/Espoo)
	Cc: oauth@ietf.org
	Subject: Re: [oauth] OAUTH Charter Proposal
	
	
	On Sun, Feb 1, 2009 at 11:00 PM, Tschofenig, Hannes (NSN -
FI/Espoo) <hannes.tschofenig@nsn.com> wrote:
	

		
		Second, w/r/t to this:
		
		
		       Furthermore, Oauth 1.0 defines three signature
methods used to
		protect requests, namely PLAINTEXT, HMAC-SHA1, and
RSA-SHA1. The group
		will work on new signature methods in case the existing
mechanisms do
		not fulfill the security requirements.
		
		
		Where are the "security requirements" coming from? Are
these defined
		separately? Whose are they?
		
		
		[hannes] I think a pragmatic approach is sensible here:
a document that
		describes a new mechanism might want to say what
requirements guided the
		solution and thereby provide some motivation.
		
		I was not thinking of an independent requirements
document. I don't
		think that it is well spent time.
		


	I agree.

	Maybe it was just the wording -- it sounded like there were some
definitive "security requirements" (or else you wouldn't be able to tell
if they were fulfilled!) but perhaps that's not what's intended there.

	I think I understand now: if you propose new security methods or
signing mechanisms, the document will describe why to use them in
situations with different security requirements. Ok.

	Thanks,

	Chris 

	-- 
	Chris Messina
	Citizen-Participant &
	 Open Web Advocate-at-Large
	
	factoryjoe.com # diso-project.org
	citizenagency.com # vidoop.com
	This email is:   [ ] bloggable    [X] ask first   [ ] private
	

_______________________________________________
oauth mailing list
oauth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email