Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id 5354F11E80EA for <oauth@ietfa.amsl.com>;
 Mon,  1 Aug 2011 09:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level: 
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.037,
 BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtvgP1CtIPuB for
 <oauth@ietfa.amsl.com>; Mon,  1 Aug 2011 09:00:53 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net
 (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com
 (Postfix) with SMTP id 9F1B211E80C4 for <oauth@ietf.org>;
 Mon,  1 Aug 2011 09:00:53 -0700 (PDT)
Received: (qmail 27571 invoked from network); 1 Aug 2011 16:01:00 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by
 p3plex1out02.prod.phx3.secureserver.net with SMTP; 1 Aug 2011 16:00:58 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by
 P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi;
 Mon, 1 Aug 2011 09:00:47 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "William J. Mills" <wmills@yahoo-inc.com>, OAuth WG <oauth@ietf.org>
Date: Mon, 1 Aug 2011 08:59:58 -0700
Thread-Topic: [OAUTH-WG] MAC Tokens body hash
Thread-Index: AcxQYXNdxYV0yO+wRn+DWCW6hHx9SwAAnBkw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723450245F61F2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
 <1312213271.20715.YahooMailNeo@web31813.mail.mud.yahoo.com>
In-Reply-To: <1312213271.20715.YahooMailNeo@web31813.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/alternative;
 boundary="_000_90C41DD21FB7C64BB94121FBBC2E723450245F61F2P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: Ben Adida <ben@adida.net>,
 "'Adam Barth \(adam@adambarth.com\)'" <adam@adambarth.com>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 16:00:55 -0000

--_000_90C41DD21FB7C64BB94121FBBC2E723450245F61F2P3PW5EX1MB01E_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Would you still like to see both such app-specific payload hash AND the ext=
 parameter? I'm thinking of taking your idea and dropping ext. This way, th=
e application can define anything they want to put in the payload hash.

EHL

From: William J. Mills [mailto:wmills@yahoo-inc.com]
Sent: Monday, August 01, 2011 8:41 AM
To: Eran Hammer-Lahav; OAuth WG
Cc: Ben Adida; 'Adam Barth (adam@adambarth.com)'
Subject: Re: [OAUTH-WG] MAC Tokens body hash

Instead of "body" hash why not make it a payload hash or additional hash.  =
The app can include a hash of data there as defined by the app, and you've =
reserved a spot for that.

________________________________
From: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>>
To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Cc: Ben Adida <ben@adida.net<mailto:ben@adida.net>>; "'Adam Barth (adam@ada=
mbarth.com<mailto:adam@adambarth.com>)'" <adam@adambarth.com<mailto:adam@ad=
ambarth.com>>
Sent: Friday, July 29, 2011 6:43 PM
Subject: [OAUTH-WG] MAC Tokens body hash
I plan to drop support for the bodyhash parameter in the next draft based o=
n bad implementation experience. Even with simple text body, UTF encoding h=
as introduced significant issues for us. The current draft does not work us=
ing simple JS code between a browser and node.js even when both use the sam=
e v8 engine due to differences in the body encoding. Basically, the JS stri=
ng used to send a request from the browser is not the actual string sent on=
 the wire.

To fix that, we need to force UTF-8 encoding on both sides. However, that i=
s very much application specific. This will not work for non-text bodies. I=
nstead, the specification should offer a simple way to use the ext paramete=
r for such needs, including singing headers. And by offer I mean give examp=
les, but leave it application specific for now.

I am open to suggestions but so far all the solutions I came up with will i=
ntroduce unacceptable complexity that will basically make this work useless=
.

EHL

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_90C41DD21FB7C64BB94121FBBC2E723450245F61F2P3PW5EX1MB01E_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#def=
ault#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
p.yiv1715794912msonormal, li.yiv1715794912msonormal, div.yiv1715794912msono=
rmal
	{mso-style-name:yiv1715794912msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
p.yiv1715794912msochpdefault, li.yiv1715794912msochpdefault, div.yiv1715794=
912msochpdefault
	{mso-style-name:yiv1715794912msochpdefault;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.yiv1715794912msohyperlink
	{mso-style-name:yiv1715794912msohyperlink;}
span.yiv1715794912msohyperlinkfollowed
	{mso-style-name:yiv1715794912msohyperlinkfollowed;}
span.yiv1715794912emailstyle17
	{mso-style-name:yiv1715794912emailstyle17;}
p.yiv1715794912msonormal1, li.yiv1715794912msonormal1, div.yiv1715794912mso=
normal1
	{mso-style-name:yiv1715794912msonormal1;
	margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Arial","sans-serif";}
span.yiv1715794912msohyperlink1
	{mso-style-name:yiv1715794912msohyperlink1;
	color:blue;
	text-decoration:underline;}
span.yiv1715794912msohyperlinkfollowed1
	{mso-style-name:yiv1715794912msohyperlinkfollowed1;
	color:purple;
	text-decoration:underline;}
span.yiv1715794912emailstyle171
	{mso-style-name:yiv1715794912emailstyle171;
	font-family:"Arial","sans-serif";
	color:windowtext;}
p.yiv1715794912msochpdefault1, li.yiv1715794912msochpdefault1, div.yiv17157=
94912msochpdefault1
	{mso-style-name:yiv1715794912msochpdefault1;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Arial","sans-serif";}
span.EmailStyle27
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Would you=
 still like to see both such app-specific payload hash AND the ext paramete=
r? I&#8217;m thinking of taking your idea and dropping ext. This way, the a=
pplication can define anything they want to put in the payload hash.<o:p></=
o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-fa=
mily:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p c=
lass=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","san=
s-serif";color:#1F497D'>EHL<o:p></o:p></span></p><p class=3DMsoNormal><span=
 style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D=
'><o:p>&nbsp;</o:p></span></p><div style=3D'border:none;border-right:solid =
blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style=3D'border:none;border=
-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b=
><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</=
span></b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'=
> William J. Mills [mailto:wmills@yahoo-inc.com] <br><b>Sent:</b> Monday, A=
ugust 01, 2011 8:41 AM<br><b>To:</b> Eran Hammer-Lahav; OAuth WG<br><b>Cc:<=
/b> Ben Adida; 'Adam Barth (adam@adambarth.com)'<br><b>Subject:</b> Re: [OA=
UTH-WG] MAC Tokens body hash<o:p></o:p></span></p></div></div><p class=3DMs=
oNormal><o:p>&nbsp;</o:p></p><div><div><p class=3DMsoNormal style=3D'backgr=
ound:white'><span style=3D'font-family:"Courier New";color:black'>Instead o=
f &quot;body&quot; hash why not make it a payload hash or additional hash.&=
nbsp; The app can include a hash of data there as defined by the app, and y=
ou've reserved a spot for that.<o:p></o:p></span></p></div><div><p class=3D=
MsoNormal style=3D'background:white'><span style=3D'font-family:"Courier Ne=
w";color:black'><o:p>&nbsp;</o:p></span></p></div><div><div><div class=3DMs=
oNormal align=3Dcenter style=3D'text-align:center;background:white'><span s=
tyle=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><hr =
size=3D1 width=3D"100%" align=3Dcenter></span></div><p class=3DMsoNormal st=
yle=3D'margin-bottom:12.0pt;background:white'><b><span style=3D'font-size:1=
0.0pt;font-family:"Arial","sans-serif";color:black'>From:</span></b><span s=
tyle=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> Era=
n Hammer-Lahav &lt;<a href=3D"mailto:eran@hueniverse.com">eran@hueniverse.c=
om</a>&gt;<br><b>To:</b> OAuth WG &lt;<a href=3D"mailto:oauth@ietf.org">oau=
th@ietf.org</a>&gt;<br><b>Cc:</b> Ben Adida &lt;<a href=3D"mailto:ben@adida=
.net">ben@adida.net</a>&gt;; &quot;'Adam Barth (<a href=3D"mailto:adam@adam=
barth.com">adam@adambarth.com</a>)'&quot; &lt;<a href=3D"mailto:adam@adamba=
rth.com">adam@adambarth.com</a>&gt;<br><b>Sent:</b> Friday, July 29, 2011 6=
:43 PM<br><b>Subject:</b> [OAUTH-WG] MAC Tokens body hash</span><span style=
=3D'color:black'><o:p></o:p></span></p><div id=3Dyiv1715794912><div><div><p=
 class=3DMsoNormal style=3D'background:white'><span style=3D'color:black'>I=
 plan to drop support for the bodyhash parameter in the next draft based on=
 bad implementation experience. Even with simple text body, UTF encoding ha=
s introduced significant issues for us. The current draft does not work usi=
ng simple JS code between a browser and node.js even when both use the same=
 v8 engine due to differences in the body encoding. Basically, the JS strin=
g used to send a request from the browser is not the actual string sent on =
the wire.<o:p></o:p></span></p></div><div><p class=3DMsoNormal style=3D'bac=
kground:white'><span style=3D'color:black'>&nbsp;<o:p></o:p></span></p></di=
v><div><p class=3DMsoNormal style=3D'background:white'><span style=3D'color=
:black'>To fix that, we need to force UTF-8 encoding on both sides. However=
, that is very much application specific. This will not work for non-text b=
odies. Instead, the specification should offer a simple way to use the ext =
parameter for such needs, including singing headers. And by offer I mean gi=
ve examples, but leave it application specific for now.<o:p></o:p></span></=
p></div><div><p class=3DMsoNormal style=3D'background:white'><span style=3D=
'color:black'>&nbsp;<o:p></o:p></span></p></div><div><p class=3DMsoNormal s=
tyle=3D'background:white'><span style=3D'color:black'>I am open to suggesti=
ons but so far all the solutions I came up with will introduce unacceptable=
 complexity that will basically make this work useless.<o:p></o:p></span></=
p></div><div><p class=3DMsoNormal style=3D'background:white'><span style=3D=
'color:black'>&nbsp;<o:p></o:p></span></p></div><div><p class=3DMsoNormal s=
tyle=3D'background:white'><span style=3D'color:black'>EHL<o:p></o:p></span>=
</p></div></div></div><p class=3DMsoNormal style=3D'margin-bottom:12.0pt;ba=
ckground:white'><span style=3D'color:black'><br>___________________________=
____________________<br>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.=
org">OAuth@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/listinfo=
/oauth" target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><b=
r><br><o:p></o:p></span></p></div></div></div></div></div></body></html>=

--_000_90C41DD21FB7C64BB94121FBBC2E723450245F61F2P3PW5EX1MB01E_--