IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Dick Hardt <Dick.Hardt@microsoft.com> Tue, 10 November 2009 02:09 UTC

Return-Path: <Dick.Hardt@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66C043A694D for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 18:09:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emSlGYaX1Wyw for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 18:09:00 -0800 (PST)
Received: from smtp.microsoft.com (mail1.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 9F8DC3A690B for <oauth@ietf.org>; Mon, 9 Nov 2009 18:09:00 -0800 (PST)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 9 Nov 2009 18:09:44 -0800
Received: from TK5EX14MBXC102.redmond.corp.microsoft.com ([169.254.2.41]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi; Mon, 9 Nov 2009 18:09:26 -0800
From: Dick Hardt <Dick.Hardt@microsoft.com>
To: John Panzer <jpanzer@google.com>
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5Et5jgAgAEXDgCAAAHrAIAAGp4A
Date: Tue, 10 Nov 2009 02:09:26 +0000
Message-ID: <19B1A486-C1F9-4EAF-9DAE-FD886D829236@microsoft.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com> <cb5f7a380911091634r19f20019rabb3d1c8c9c3246f@mail.gmail.com>
In-Reply-To: <cb5f7a380911091634r19f20019rabb3d1c8c9c3246f@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <b743f7aa-fdce-4919-b35e-e15af53852c3>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 02:09:01 -0000

On 2009-11-09, at 4:34 PM, John Panzer wrote:

> Counter-argument:  The login pages are protected with https, so  
> their password is protected.

One might then ask why HTTPS is not used for all the other activity if  
it is sensitive. HTTPS is available. Crypto gets cheaper and cheaper  
with Moore's law.


>  Their session cookies are sent in clear text but are themselves  
> encrypted and are refreshed every (say) 10 minutes to minimize  
> exposure from leakage.

A lot of damage could be done in those ten minutes.

> The user's data certainly is sent in clear text form and an attacker  
> can both read it and impersonate the user to send data if they grab  
> the cookies, at least for 10 minutes.  So I got nothin' there.
>
> (Would bearer token plus a way to securely rotate the token every N  
> minutes make the OAuth session at least as secure as the above  
> scenario?)

I think so. :-)

-- Dick

v2.23.0 | Report a Bug | By Email