[OAUTH-WG] HTTP signing spec typo

"Brock Allen" <brockallen@gmail.com> Wed, 24 February 2016 22:57 UTC

Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0071A1BDF for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2016 14:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QARwf58d-UKl for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2016 14:57:47 -0800 (PST)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CAB31A1BDB for <OAuth@ietf.org>; Wed, 24 Feb 2016 14:57:47 -0800 (PST)
Received: by mail-pf0-x22b.google.com with SMTP id e127so20890038pfe.3 for <OAuth@ietf.org>; Wed, 24 Feb 2016 14:57:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type :thread-index:content-language; bh=F3k9MIqS73Cde7Yk+2ihSrrLkioyJjIYB+Iulr5JFoE=; b=ehxzXzb89f2G+qbjc58tm0DpUY8hhaFvqPXWbuRZ9GH6T0MM+lsnCMZG8P450h53dT PisJ4fGrA9QQARvDGUhHgR+HA3AslxkQkhlb1EwNJ7l4e60enIL7PGtM5EFItQzMuci7 GLmpIyYYqGxk8Yu9GQk8kql2/WtSuF/XowtVwNrLNfmQGJ+m9GXJuKtyn2NRvKXTUDag evYWek0IUVMR+aXDXKHQBea+iJOiAYPTKIBJX9S4NUBatp0lX039SyEe1XPaFfgnFXd0 nKgJj/o/AO7BxQ34bMHXlyoGm0V63kajIcRqLe4/6H55BVfQzgZTEhyWfDeRwsqyaZIN jORw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-type:thread-index:content-language; bh=F3k9MIqS73Cde7Yk+2ihSrrLkioyJjIYB+Iulr5JFoE=; b=VjQVj5aUIVWQ2kx84zQygobfFvAENOtwpS+fKgMgnx+oZ65KOAeyMcVhg5nCW197I5 tCYaoBvMM10MwfNStJJiZcDNgrKI30b0qbwjvC4CceBOP3lhy8UFE7wjCrtbKZ5WvgcJ kLbGaldJSvCIBq0SzWx/hEXGekv1E3wswIpbq9Jrr4LkwZZYfjJ8JpW3IM1Z1kaNQQOl FIbrzaceJCV8J8lzef/4eyxvmQMB0Wj/i+ufu+TET/8/sn9ykWB7P13CAVWbsUKxuNeh DzR1txZQdN8PaLPjC5ful2f09F12PxlC0qPT3TIImJW9cQ67/RbL2p6TCs/l+ap4jN1Y VPYw==
X-Gm-Message-State: AG10YOTS7gEMdHwYs6rvExGzaUbMewoJe7jClB+iC/V06x6c3Ea7kYUUSFp+/4tELBKnsw==
X-Received: by 10.98.89.215 with SMTP id k84mr58692971pfj.66.1456354667129; Wed, 24 Feb 2016 14:57:47 -0800 (PST)
Received: from monk (ip68-9-116-135.ri.ri.cox.net. [68.9.116.135]) by smtp.gmail.com with ESMTPSA id y15sm7329280pfi.16.2016.02.24.14.57.45 for <OAuth@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Feb 2016 14:57:45 -0800 (PST)
From: "Brock Allen" <brockallen@gmail.com>
To: <OAuth@ietf.org>
Date: Wed, 24 Feb 2016 17:57:31 -0500
Message-ID: <00ac01d16f56$beb8aea0$3c2a0be0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00AD_01D16F2C.D5E369F0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdFvUfX0nBCEzmjTTWqNfCRXc7exbw==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_0cqAueiun8qB_V8QCWlPUyKGNg>
Subject: [OAUTH-WG] HTTP signing spec typo
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 22:57:49 -0000

In section 3.2 under calculating header list hash, there's an example of
hashed headers. For the values:

 

content-type: application/json

etag: 742-3u8f34-3r2nvv3

 

this is shown as the example:

 

"h": [["content-type", "etag"],
"bZA981YJBrPlIzOvplbu3e7ueREXXr38vSkxIBYOaxI"]

 

I believe the hashed value is incorrect. The hash above is correct if the
headers use "\r\n" as the separator, but the spec says to only use "\n". If
only "\n" is used as the separator then (from my calculations) the hash
value should be "P6z5XN4tTzHkfwe3XO1YvVUIurSuhvh_UG10N_j-aGs". 

 

I'd love to get confirmation if I'm right/wrong. If I get a +1, then I'll
submit a PR to the spec in Justin's repo (unless he beats me to it).

 

One additional comment: It was not explicit in the spec that text encodings
should be ASCII. It might be helpful to make that explicit, as I incorrectly
assumed UTF8 (and spun my wheels for an hour or so).

 

Also, FWIW, I'm working on (well really, almost done with) a .NET
implementation of this spec. I'd love to know how much churn we expect on
the RFC. Also working with me on this is Dominick who adding the PoP support
to our IdentityServer3 implementation.

 

Thanks!

 

-Brock