Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

Eran Hammer <> Thu, 16 February 2012 23:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F350121E8078 for <>; Thu, 16 Feb 2012 15:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VV51AegEGvxi for <>; Thu, 16 Feb 2012 15:14:22 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 4477C21E8051 for <>; Thu, 16 Feb 2012 15:14:17 -0800 (PST)
Received: (qmail 32196 invoked from network); 16 Feb 2012 23:14:17 -0000
Received: from unknown (HELO ( by with SMTP; 16 Feb 2012 23:14:17 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([]) with mapi; Thu, 16 Feb 2012 16:14:07 -0700
From: Eran Hammer <>
To: "Manger, James H" <>, "" <>
Date: Thu, 16 Feb 2012 16:14:30 -0700
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
Thread-Index: AcztAK75xHpFVOIFQtiRwRX/fm/qow==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Feb 2012 23:14:27 -0000

I haven't seen much feedback so I assume this is almost ready for LC. I
will apply the suggestions below and will request a WGLC for -02.


On 2/8/12 10:51 PM, "Manger, James H" <>

>Eran, a couple of comments on the new MAC spec:
>The example (§1.1) does not seem to be correct. That is, I calculate
>mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value.
>The example in §3.2.1 has a typo. It says "using timestamp
>"264095:7d8f3e4a"", but should say "using timestamp "264095"".
>Timestamp verification (§4.1) is described as preventing replay attacks.
>However, the 3 dot points that server  MUST do only ensure that requests
>(other than the first) are approximately fresh (assuming the first was
>fresh). Of course, it is fairly obvious that the service can keep a copy
>of {ts,nonce,id} tuples (while the ts is still approximately fresh) to
>detect replays.
>When the ts field is defined (§3.1) it is probably worth mentioning that
>the fixed point in time (epoch) chosen to calculate ts MUST remain the
>same for the lifetime of the key. That is, a client app cannot pick a new
>epoch each time it starts if it is using the same key across restarts.
>Personally, I would almost prefer it to say: ts is seconds since 1970
>were possible; clients without a real-time clock can choose an arbitrary
>epoch, but it must remain the same for the lifetime of the key; servers
>SHOULD NOT assume client clocks are well synchronized to their own. It is
>RECOMMENDED that a server assumes the 1st request with a given key is
>fresh, and use the ts value in that request to determine the offset
>between the client & servers clocks. That offset (assumed to remain
>constant) can be used to determine if subsequent requests are fresh.
>James Manger
>-----Original Message-----
>From: [] On Behalf Of
>Eran Hammer
>Sent: Thursday, 9 February 2012 4:55 AM
>Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>Main changes:
>Removed cookies support
>Removed body hash
>Clarified timestamp verification
>I still have more comments to process but wanted to get a new draft out
>first as the current one expired.
>Please review the new timestamp prose and let me know what you think. I'm
>trying to allow the client to use any timestamp it can easily produce,
>and move the verification logic to the server as much as possible.
>> -----Original Message-----
>> From: [] On Behalf
>> Of
>> Sent: Wednesday, February 08, 2012 9:52 AM
>> To:
>> Cc:
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> This draft is a work item of the Web Authorization Protocol Working
>>Group of
>> the IETF.
>> 	Title           : HTTP Authentication: MAC Access Authentication
>> 	Author(s)       : Eran Hammer-Lahav
>> 	Filename        : draft-ietf-oauth-v2-http-mac-01.txt
>> 	Pages           : 20
>> 	Date            : 2012-02-08
>>    This document specifies the HTTP MAC access authentication scheme, an
>>    HTTP authentication method using a message authentication code (MAC)
>>    algorithm to provide cryptographic verification of portions of HTTP
>>    requests.  The document also defines an OAuth 2.0 binding for use as
>>    an access-token type.
>> A URL for this Internet-Draft is: