IETF Logo Mail Archive

Re: [OAUTH-WG] signatures, v2

Dick Hardt <dick.hardt@gmail.com> Fri, 16 July 2010 04:53 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9B693A684B for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 21:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bh5omhx4VVX3 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 21:53:51 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id AE9623A687F for <oauth@ietf.org>; Thu, 15 Jul 2010 21:53:51 -0700 (PDT)
Received: by pvd12 with SMTP id 12so856181pvd.31 for <oauth@ietf.org>; Thu, 15 Jul 2010 21:54:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=+HJqdNYKnlUzTAejBJJGZxaSQj99o2z4q0Uqnk3pfXg=; b=bbuGMEbue5YeNiKT3AAjJUq/MkLBazA3sJ55MkvfZG0O38nBCKOXOZQDSzW7GTw5Dl 5AYzO17a6y8kOEgxcu6eIWD2mma/Mv221vyPgnOM4/OVnhA7qGKlZoro6uK1I0ow2hO2 Tv3Bk5DMHcEP4Q9655NwzFA1vVGutAQJ+TeQ8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=VFVaTF20uG92r+JQZcUjvk55JdtrFeAkWNLpzYbgnVQ1f3H1GOPTSAcmKWNJxTdu3f eCQgPEJs8lXxMQOKeLUmHUZLEv9DergNNeYqy9C6pJR35cMPXZJIYm2ao59iuOAx0wYK 5cMC7ym79GxgF7FKRGPs0VdiR7GPjYuYpvFyQ=
Received: by 10.114.95.19 with SMTP id s19mr819619wab.31.1279256040377; Thu, 15 Jul 2010 21:54:00 -0700 (PDT)
Received: from [192.168.1.5] ([24.130.32.55]) by mx.google.com with ESMTPS id g4sm12602111wae.14.2010.07.15.21.53.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 15 Jul 2010 21:53:58 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/alternative; boundary="Apple-Mail-22-301126254"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <AANLkTinKfW8O3yMzVAS0NzYYmPrpRGnT6J2eJCIb5p_C@mail.gmail.com>
Date: Thu, 15 Jul 2010 21:53:56 -0700
Message-Id: <F64B057D-567B-4C9B-A5DA-68654F6AB431@gmail.com>
References: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com> <AANLkTinKfW8O3yMzVAS0NzYYmPrpRGnT6J2eJCIb5p_C@mail.gmail.com>
To: Naitik Shah <n@daaku.org>
X-Mailer: Apple Mail (2.1081)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] signatures, v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2010 04:53:52 -0000

On 2010-07-15, at 6:45 PM, Naitik Shah wrote:

> On Thu, Jul 15, 2010 at 5:43 PM, Dirk Balfanz <balfanz@google.com> wrote:
> 
> One question: What's the deal with having the signature go first? If you can explain to me why that is a good idea, I'm happy to oblige.
> 
> 
> When we were talking about base64url or not, putting the signature before the dot meant it was okay for a dot to show up in the payload in an unencoded fashion, which was coupled with the fact that lsplit or split with a limit are more common in standard libraries based on some rough exploration. But that's not relevant anymore.
> 
> Is there a downside to having the signature first? I like it better because the signature length is predictable, meaning the first X chars will be the sig, and then the X+1 char will be the dot. I like the consistency it provides :)

If we put the envelope first, then we know what to do with the token. Signatures don't exist in an encrypted token. Think of the envelope like HTTP headers. They makes sense to go first. After the envelope, I don't have a preference between signature and payload or payload and signature.

btw: signature length is not predictable -- it is dependant on the algorithm. *when* a different hash algorithm is used the length will likely change. The only way to know this is to look at algorithm first.

-- Dick

v2.23.0 | Report a Bug | By Email