Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Skylar Woodward <skylar@kiva.org> Thu, 27 January 2011 11:48 UTC
Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF2AC3A698D for <oauth@core3.amsl.com>; Thu, 27 Jan 2011 03:48:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[AWL=-0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSxSk-MN4Ins for <oauth@core3.amsl.com>; Thu, 27 Jan 2011 03:48:32 -0800 (PST)
Received: from na3sys010aog112.obsmtp.com (na3sys010aog112.obsmtp.com [74.125.245.92]) by core3.amsl.com (Postfix) with SMTP id 4A5A328C125 for <oauth@ietf.org>; Thu, 27 Jan 2011 03:48:32 -0800 (PST)
Received: from source ([209.85.161.51]) (using TLSv1) by na3sys010aob112.postini.com ([74.125.244.12]) with SMTP ID DSNKTUFcR0DPWt0YL+6nzBZO2VzTW2CM2t57@postini.com; Thu, 27 Jan 2011 03:51:36 PST
Received: by fxm5 with SMTP id 5so2182389fxm.24 for <oauth@ietf.org>; Thu, 27 Jan 2011 03:51:33 -0800 (PST)
Received: by 10.223.101.131 with SMTP id c3mr831033fao.95.1296129093802; Thu, 27 Jan 2011 03:51:33 -0800 (PST)
Received: from [10.0.1.4] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id z1sm5931285fau.21.2011.01.27.03.51.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 27 Jan 2011 03:51:32 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 27 Jan 2011 12:51:30 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <809B826D-EFC6-439E-9926-D5AF085DBA60@kiva.org>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 11:48:33 -0000
This is excellent. Thanks for pulling together a signature-based token spec. Some feedback: - As I think was mentioned in a previous post, this spec is also attractive as method for asserting client credentials (eg, for access token requests). Your point is noted on substituting "client_id" as "token" though some language to recommend the general application of this field could be helpful for those reading the spec to draw the same conclusion. My personal preference might be the use of the word "assertion" over "token" if this is meant to be a general-purpose mechanism. Otherwise, people will naturally draw a strong correlation between related OAuth specs. I suppose this is the same sort of tension involved in keeping a more general name of MAC or assuming a more integral term, OAUTH_MAC. In any case, it feels like a "hack" to ask developers to put "client_id" into the "token" field, so I prefer multi-purpose names where multiple uses are intended. - When presenting an MAC token, it would be attractive if client credentials could also be captured in the assertion without relying on a separate assertion (imagine the confusion in two Authorization headers, MAC [token=client_id] and MAC [token=token]). A simple solution (and one that preserves the same double-secret signature as OAuth 1.0) would be to require the value of "secret" (used as the signing key) to be a concatenation of client_secret and token_secret. I assume this kind of special instruction could be made by providers just as simply as the explanation of the use of "token" for client_id in client auth. I mention it to see if anyone sees conflicts or objections to this use, or if it is worth including the option in the spec in some manner. If the spec is trying to remain more independent from the core OAuth spec, then I suppose that's a reason to both allow such alternate use and not address it. If the spec means to address common use cases and draw tight correlation between the two specs, then I see this as an positive clarification. Validating client identity on the presentation of tokens is a valuable ability. Using client credentials in the assertion allows for the signature to include an element that is potentially never sent over the wire or in a previous OAuth exchange. - Using a body hash and making it optional is a great alternative to the OAuth 1.0a method incorporating content body params. Given the confusion that parameter ordering and sorting caused for 1.0a why not apply the same method for query-string parameters? That is, normalize the query-string parameters, sort them, create a parameter hash, and include it in the assertion (optional). This allows providers to not require this if they consider it to be unnecessary for security as well as a hurdle to message signing. In any case, I'd see both elements as either optional or required. - As expressed, I had concerns over versioning of the format as any modification could introduce brittleness to the construction of the Signature Base String. Your preference seems to be to introduce MAC2 if incompatibility or confusion arises. Assuming everyone else is fine with that, it's an acceptable path forward. Of all these points, I'm most interested in feedback from others on the use of client_secret+token_secret as option for the signature key. skylar On Jan 22, 2011, at 2:09 AM, Eran Hammer-Lahav wrote: > http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 > > New version includes the following changes: > > o Added body-hash support. > o Updated OAuth 2.0 reference to -12 and added token type registration template. > o Removed error and error URI attributes (codes were just a duplication of the HTTP status codes). > > Feedback would be greatly appreciated. > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Michael D Adams
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav