IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 02 December 2009 03:08 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 006FE3A67AE for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 19:08:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Level:
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XR26OW5k352 for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 19:08:49 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id EF3F03A6781 for <oauth@ietf.org>; Tue, 1 Dec 2009 19:08:48 -0800 (PST)
Received: (qmail 5777 invoked from network); 2 Dec 2009 03:08:41 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Dec 2009 03:08:41 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 1 Dec 2009 20:08:37 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Date: Tue, 01 Dec 2009 20:08:45 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: Acpy+0tDO98Ic0wOQMyVtts1JRKRjwAANzGQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com><35D50F5C-3982-4298-A9E0-86A528F5C5D3@jkemp.net><daf5b9570911092158k682aff63l959c423c399b2277@mail.gmail.com><4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de><daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET><cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im>
In-Reply-To: <4B15D7C2.2070901@stpeter.im>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, ext, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 03:08:50 -0000


> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter@stpeter.im]
> Sent: Tuesday, December 01, 2009 6:58 PM
> To: Eran Hammer-Lahav
> Cc: Tschofenig, Hannes (NSN - FI/Espoo); ext Dick Hardt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] why are we signing?
> 
> <hat type='individual'/>
> 
> On 11/30/09 1:27 PM, Eran Hammer-Lahav wrote:
> > OAuth is being proposed as a generally useful method for securing API
> > calls. I expect many open source libraries to implement it on the
> > server side and use it for blog plugins, widgets, and other highly
> > distributed software. If OAuth required the use of TLS, it would
> > simply be ignored by all those applications which will likely
> > continue using Basic.
> >
> > With all due respect to big companies, their resources, and ability
> > to effortlessly deploy SSL/TLS, it is still an expensive and complex
> > process for more developers deploying small scale server components.
> 
> With all due respect, I think it can be harder for big companies to
> deploy TLS -- they have a lot more users, need more hardware (special
> SSL accelerators and the like), have more layers of employees (so it can
> be more difficult to find the person who controls the hostmaster or
> whois-listed email address), etc.

Either way you are making my point, sorta.

> Getting a Class 1 cert from the likes of StartSSL is easy as pie these
> days. IMHO there is no excuse for not deploying SSL if you care one whit
> about security. The problem is that too many small-scale developers (and
> big companies!) simply don't care.

Don't care, don't need that much security, don't understand it, etc. Bottom line is that requiring SSL is certain to fork this work if not done right.

And BTW, I was the one arguing for mandating SSL in 1.0 when obtaining tokens. I lost.

EHL

> Peter
> 
> --
> Peter Saint-Andre
> https://stpeter.im/
>

v2.23.0 | Report a Bug | By Email