IETF Logo Mail Archive

Re: [oauth] OAuth only for HTTP request signing?

Will Norris <will@willnorris.com> Thu, 05 February 2009 21:58 UTC

Return-Path: <will@willnorris.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 97A0D3A6AB8 for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 13:58:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1Vv6CnyZhyE for <oauth@core3.amsl.com>; Thu, 5 Feb 2009 13:58:31 -0800 (PST)
Received: from mho-01-bos.mailhop.org (mho-01-bos.mailhop.org [63.208.196.178]) by core3.amsl.com (Postfix) with ESMTP id AB65D3A6AD1 for <oauth@ietf.org>; Thu, 5 Feb 2009 13:58:31 -0800 (PST)
Received: from c-24-5-85-216.hsd1.ca.comcast.net ([24.5.85.216] helo=[10.0.1.7]) by mho-01-bos.mailhop.org with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <will@willnorris.com>) id 1LVCEx-0002Rn-D2; Thu, 05 Feb 2009 21:58:31 +0000
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 24.5.85.216
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18tUnniJ9SV+p1lVM7wTZNGbrDbeCk4GmA=
Message-Id: <E400BF1A-8280-4803-9873-57BCB6E3C868@willnorris.com>
From: Will Norris <will@willnorris.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <C5B09F37.122D5%eran@hueniverse.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Thu, 05 Feb 2009 13:58:28 -0800
References: <C5B09F37.122D5%eran@hueniverse.com>
X-Mailer: Apple Mail (2.930.3)
Cc: Onyx Raven <onyxraven@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAuth only for HTTP request signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2009 21:58:32 -0000

Eran,

Is the plan to put the existing SBS stuff in IETF OAuth Core or in a  
separate HTTP binding?  Perhaps that would be a reasonable compromise,  
leaving OAuth Core protocol agnostic.  Of course, the WG could only be  
responsible for creating the HTTP binding, not any other protocol.   
But it would leave OAuth Core flexible enough to support future  
protocol bindings in the future without modification.

Or am I missing something?

-will


On Feb 5, 2009, at 1:50 PM, Eran Hammer-Lahav wrote:

> The fact the signature base string today is compatible with XMPP  
> (but taking a liberal view of the workflow), is mostly luck. It just  
> happened that a solution that was optimized for HTTP seems to work  
> well for XMPP with some clarifications.
>
> It is very likely that we will be defining a new signature method.  
> If non-HTTP considerations will make it any more complex than it has  
> to be, I will find it problematic. If it doesn't, great. I am happy  
> to allow the charter to "review the applicability of existing and  
> new signature methods to protocols other than HTTP", but that is  
> where I think we should draw a line.
>
> The charter should allow a signature method that does not support  
> XMPP, if it makes HTTP better. In other words, I am against putting  
> any other protocol at equal consideration as HTTP.
>
> EHL
>
>
> On 2/5/09 1:37 PM, "Onyx Raven" <onyxraven@gmail.com> wrote:
>
> So, thats what I was trying to get at.  I agree that the excepted
> token consumer-request -> sp-auth -> consumer-access process should be
> HTTP based as it is defined now.  It was really more about the
> consumer -> sp request signing (with delegated access), which like
> below, could be XMPP, IRC, proprietary game protocols, etc.  At a
> basic level, signature signing is defined as
> METHOD&RESOURCE&PARAMETERS (where parameters are key/value pairs
> structured in www-form-urlencoded style).
>
> But like I said before, as long as the core standard has acceptable
> wording for other consumer -> sp request protocols to hook into, thats
> what matters there.  I just wanted to be sure we didn't get locked
> into something we might want alternatives to in the future.
>
> On Thu, Feb 5, 2009 at 2:21 PM, John Kemp <john@jkemp.net> wrote:
>> On Feb 5, 2009, at 3:52 PM, Seth Fitzsimmons wrote:
>>
>>>
>>> XMPP (XEP-0235) assumes that tokens are exchanged out of band,  
>>> leaving
>>> that mechanism in HTTP.
>>
>> Right. The point being that there are at least two potentially- 
>> independent
>> parts to OAuth - a set of signature mechanisms (RSA-SHA1, HMAC-SHA1,
>> PLAINTEXT), and an HTTP-based protocol for token exchange.
>>
>> [...]
>>
>>>
>>> To me, the most useful aspect of OAuth when applied to other  
>>> protocols
>>> is a clearly defined way to generate signatures given constituent
>>> components.
>>
>> I think it's certainly reasonable to suggest that the signature  
>> mechanisms
>> be defined so as to be useful in contexts other than HTTP. Which  
>> apparently
>> already worked well-enough for XMPP with OAuth 1.0.
>>
>> - johnk
>>
>
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.46.0 | Report a Bug | By Email | System Status