Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 27 September 2010 15:13 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 505E33A6D2F for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 08:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IQn53dxxwOb for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 08:13:27 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id C329B3A6D3A for <oauth@ietf.org>; Mon, 27 Sep 2010 08:13:24 -0700 (PDT)
Received: (qmail 8982 invoked from network); 27 Sep 2010 15:14:02 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 27 Sep 2010 15:14:02 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 27 Sep 2010 08:13:59 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 27 Sep 2010 08:14:01 -0700
Thread-Topic: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision
Thread-Index: ActeSmBQ1AQuh/G7SiaW7Oq7PQkA2wADDRPQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343D460DB2C9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343D45D80139@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7BEE5493-C73B-4655-96F4-A3BB9ACC872B@gmail.com>
In-Reply-To: <7BEE5493-C73B-4655-96F4-A3BB9ACC872B@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343D460DB2C9P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 15:13:33 -0000
That goes without saying. Yes. Does this satisfy your concerns? EHL From: Dick Hardt [mailto:dick.hardt@gmail.com] Sent: Monday, September 27, 2010 6:46 AM To: Eran Hammer-Lahav Cc: OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision As others have stated and I agree with, you also need an extension mechanism so that other signature algorithms can be used. If there is no extension mechanism, then the spec is saying this is the only signature mechanism possible. -- Dick On 2010-09-26, at 11:44 PM, Eran Hammer-Lahav wrote: Building on John Panzer's proposal, I would like to ask if people have strong objections to the following: - Add the 1.0a RFC language for HMAC-SHA-1 signatures to the core specification in -11 - Discuss the signature language on the list and improve both prose and signature base string construction - Apply improvements to -12 Keeping the 1.0a signature in the core specification makes sense and builds on existing experience and deployment. If we can reach quick consensus on some improvements, great. If not, we satisfy the need of many here to offer a simple alternative to bearer tokens, without having to reach consensus on a new signature algorithm suitable for core inclusion. --- I have seen nothing to suggest that this working group is going to reach consensus on a single signature algorithm worthy of core inclusion. I agree with John that at least the 1.0a algorithm is well understood and already deployed. I can live with it used without changes, which will also allow reusing existing code with 2.0. I think we can improve it by making small changes, but have better things to do with my time than spend the next few months arguing over it. By including the 1.0a text in -11, we will have a feature complete specification that I hope many people here can live with if it doesn't change (which looks more likely). My question is, who here has strong objections to this, and cannot live with the core specification including the 1.0a HMAC-SHA1 algorithm? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Proposal: OAuth 1.0 signature in core … Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Dick Hardt
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Dick Hardt
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Mike Jones
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Marius Scurtescu
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Anthony Nadalin
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Lukas Rosenstock
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Anthony Nadalin
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav