IETF Logo Mail Archive

[OAUTH-WG] MAC Discussion

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 10 August 2012 07:00 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B60F21F84B6 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 00:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.615
X-Spam-Level:
X-Spam-Status: No, score=-102.615 tagged_above=-999 required=5 tests=[AWL=-0.016, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lVd0bDbBvFt for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 00:00:53 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 36B6821F84C5 for <oauth@ietf.org>; Fri, 10 Aug 2012 00:00:53 -0700 (PDT)
Received: (qmail invoked by alias); 10 Aug 2012 07:00:51 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.108]) [88.115.216.191] by mail.gmx.net (mp070) with SMTP; 10 Aug 2012 09:00:51 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX18ArBNNHnQAgEAgrGT0WXTSu5NkQEjCWk2GQCERGg MdRffmw1xH7Ip1
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 10 Aug 2012 10:00:50 +0300
Message-Id: <D1D2FF69-B27F-40DB-A774-64772B4BC4B2@gmx.net>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] MAC Discussion
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 07:00:56 -0000

Justin wrote: 
"
I believe that there's value in per-message signing completely apart from the channel level encryption. 
"

May well be. But we have to figure out what exactly the reasons are why there is value. 

Bill wrote:
"
I find the idea of starting from scratch frustrating. MAC solves a set of specific problems and has a well defined use case.
"

This would be a very quick process if we had ever done our home work properly. 

So, what are the problems it tries to solve? Yesterday I found an old presentation about MAC and the basic argument was that it has better performance than TLS. While that's true it is not a good argument per se. However, performance is not the only factor to look at and the negative performance impact caused by TLS is overrated.  

Here is the slide set I am talking about: 
http://www.tschofenig.priv.at/Why_are_we_Signing.pdf

In many cases I had noticed that more time was spent with the pictures (in slides and blog post) than with the content. That's not good IMHO. 

Bill, we can hardly call a specification "complete" if many of us don't know what problem it solves. John phrases it nicely as "Part of the problem with MAC has been that people could never agree on what it was protecting against." I am also interested in hearing about deployment constraints that people have. Blaine always said that many developers cannot get TLS to work. I am sure that's true but OAuth 2.0 requires TLS to be used anyway to secure the interaction with the authorization server. 

Note: I am not saying that we are not going to standardize something like the MAC token (maybe with different details) but let us spend a little bit of time to figure out what threats we want to deal with.

v2.23.0 | Report a Bug | By Email