IETF Logo Mail Archive

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 11 April 2011 23:16 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfc.amsl.com
Delivered-To: oauth@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 31404E06E1 for <oauth@ietfc.amsl.com>; Mon, 11 Apr 2011 16:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQYoPoCuU145 for <oauth@ietfc.amsl.com>; Mon, 11 Apr 2011 16:16:05 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfc.amsl.com (Postfix) with SMTP id 6BDADE066A for <oauth@ietf.org>; Mon, 11 Apr 2011 16:16:00 -0700 (PDT)
Received: (qmail 6031 invoked from network); 11 Apr 2011 23:15:58 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 11 Apr 2011 23:15:58 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 11 Apr 2011 16:15:50 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Skylar Woodward <skylar@kiva.org>, OAuth WG <oauth@ietf.org>
Date: Mon, 11 Apr 2011 16:15:46 -0700
Thread-Topic: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Thread-Index: AcvG6+zzWEcHzevzR2iwFVcy1BpGKgxsloiw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72344656743AB2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <5A4C1B6B-7D51-4D12-A468-5A5991D72DCB@kiva.org>
In-Reply-To: <5A4C1B6B-7D51-4D12-A468-5A5991D72DCB@kiva.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2011 23:16:07 -0000

> -----Original Message-----
> From: Skylar Woodward [mailto:skylar@kiva.org]
> Sent: Monday, February 07, 2011 9:25 AM
> To: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
> 
> On body-hash...
> 
> Having completed a trial implementation, it seems redundant, and
> potentially problematic, to include the body-hash in the Authentication
> header. The danger is that implementors may neglect to recalculate the hash
> themselves, reusing the value (even if incorrect) provided by the client. Why
> not just require the provider to calculate this and validate it by comparing the
> final signature? This way it's clearer for everyone what the expectations are
> in validating the signature.

I actually like this "feature". If the server doesn't care about body integrity for whatever reason (based on its security analysis), it van still validate the request without bothering to validate the body hash.

EHL

v2.23.0 | Report a Bug | By Email