Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

[Eran Hammer <eran@hueniverse.com>]

I haven't seen much feedback so I assume this is almost ready for LC. I
will apply the suggestions below and will request a WGLC for -02.

EH


On 2/8/12 10:51 PM, "Manger, James H" <James.H.Manger@team.telstra.com>
wrote:

>Eran, a couple of comments on the new MAC spec:
>
>The example (§1.1) does not seem to be correct. That is, I calculate
>mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value.
>
>The example in §3.2.1 has a typo. It says "using timestamp
>"264095:7d8f3e4a"", but should say "using timestamp "264095"".
>
>Timestamp verification (§4.1) is described as preventing replay attacks.
>However, the 3 dot points that server  MUST do only ensure that requests
>(other than the first) are approximately fresh (assuming the first was
>fresh). Of course, it is fairly obvious that the service can keep a copy
>of {ts,nonce,id} tuples (while the ts is still approximately fresh) to
>detect replays.
>
>When the ts field is defined (§3.1) it is probably worth mentioning that
>the fixed point in time (epoch) chosen to calculate ts MUST remain the
>same for the lifetime of the key. That is, a client app cannot pick a new
>epoch each time it starts if it is using the same key across restarts.
>
>Personally, I would almost prefer it to say: ts is seconds since 1970
>were possible; clients without a real-time clock can choose an arbitrary
>epoch, but it must remain the same for the lifetime of the key; servers
>SHOULD NOT assume client clocks are well synchronized to their own. It is
>RECOMMENDED that a server assumes the 1st request with a given key is
>fresh, and use the ts value in that request to determine the offset
>between the client & servers clocks. That offset (assumed to remain
>constant) can be used to determine if subsequent requests are fresh.
>
>--
>James Manger
>
>-----Original Message-----
>From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
>Eran Hammer
>Sent: Thursday, 9 February 2012 4:55 AM
>To: oauth@ietf.org
>Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>
>Main changes:
>
>Removed cookies support
>Removed body hash
>Clarified timestamp verification
>
>I still have more comments to process but wanted to get a new draft out
>first as the current one expired.
>
>Please review the new timestamp prose and let me know what you think. I'm
>trying to allow the client to use any timestamp it can easily produce,
>and move the verification logic to the server as much as possible.
>
>EH
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of internet-drafts@ietf.org
>> Sent: Wednesday, February 08, 2012 9:52 AM
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts
>>directories.
>> This draft is a work item of the Web Authorization Protocol Working
>>Group of
>> the IETF.
>> 
>> 	Title           : HTTP Authentication: MAC Access Authentication
>> 	Author(s)       : Eran Hammer-Lahav
>> 	Filename        : draft-ietf-oauth-v2-http-mac-01.txt
>> 	Pages           : 20
>> 	Date            : 2012-02-08
>> 
>>    This document specifies the HTTP MAC access authentication scheme, an
>>    HTTP authentication method using a message authentication code (MAC)
>>    algorithm to provide cryptographic verification of portions of HTTP
>>    requests.  The document also defines an OAuth 2.0 binding for use as
>>    an access-token type.
>> 
>> 
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-http-mac-01.txt