IETF Logo Mail Archive

Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Dick Hardt <dick.hardt@gmail.com> Fri, 10 August 2012 16:49 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E210821F8759 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 09:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.572
X-Spam-Level:
X-Spam-Status: No, score=-3.572 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gzyxJ+BKyGwC for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2012 09:49:05 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5A32821F8757 for <oauth@ietf.org>; Fri, 10 Aug 2012 09:49:05 -0700 (PDT)
Received: by pbbrr4 with SMTP id rr4so2989042pbb.31 for <oauth@ietf.org>; Fri, 10 Aug 2012 09:49:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=UoJhserXU8AnMIGhuNlQBtNE/M1dNYy4QUXJIWoXhAM=; b=zY6cv3+6GZOND/5bzkG+5EbyenS39UlHrmEfdJZTraV2ues07NuoJ73s5tSm5gvYJF hUM9rcJrnQLtTnEDBS2PNNT357hacXc8IttZTJJDhM9iYkWNq/Sz8L/VtnuSY0ghgR0+ OfDO/jS0AqVfqreRHQeC7p5KvxMFgFfLREP5W6NsZHHcizDk8uUd98gh6/6RMo+biPxV O8pJqwW0cjbdQcy0of1WL1m4QrIb3im3ksEsNq0bOxG3fUbTNit4VSZuNCU7WL0T4Hp0 P6r4alRlDzP43z+1HOfzCntXrzB1tzBQYFg6gb5AK40bDLMDCENTvMzfHSOYoBQ5HDSJ pkdw==
Received: by 10.68.216.136 with SMTP id oq8mr14090225pbc.68.1344617344403; Fri, 10 Aug 2012 09:49:04 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id hr9sm3655922pbc.36.2012.08.10.09.49.00 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 10 Aug 2012 09:49:03 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F42074D0-2C70-46E7-8918-019B2D50B7A0"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <50253697.5070706@mitre.org>
Date: Fri, 10 Aug 2012 09:48:59 -0700
Message-Id: <8CA5C199-D005-45B6-A352-81F6396181AF@gmail.com>
References: <CAOKdZ1dzVcKBDt6CSLuHwc4NzUVd_hUMWdpJVS6=ncdJo05=UQ@mail.gmail.com> <502280D8.40708@mitre.org> <9AD4EEF7-6187-4A4F-A855-32819BCB8321@gmx.net> <5022D344.40600@mitre.org> <EEBC9705-16C0-4697-8F38-28660C3CB553@ve7jtb.com> <5023CC18.9090809@mitre.org> <1344531175.4871.YahooMailNeo@web31812.mail.mud.yahoo.com> <3940317E-948C-4909-9B8F-2689A6B8D4EB@gmail.com> <1344534823.39489.YahooMailNeo@web31801.mail.mud.yahoo.com> <E3386483-222B-4B71-ADD4-0E8C0C0E18ED@gmail.com> <502418C3.5080402@mitre.org> <FD699F57-C56C-4D4C-A8CD-C1A2BF846C1C@gmail.com> <50253697.5070706@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1278)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 16:49:06 -0000

On Aug 10, 2012, at 9:28 AM, Justin Richer wrote:

> On 08/09/2012 06:47 PM, Dick Hardt wrote:
>> 
>> On Aug 9, 2012, at 1:08 PM, Justin Richer wrote:
>> 
>>> With MAC, you should be able to re-use about 80-90% of your existing codepath that's in place for Bearer, simplifying the setup below. 
>> 
>> That makes no sense, I would be adding MAC to the sites that support MAC in addition to OAuth 1.0A or OAuth 2.0
> 
> You get to re-use all of the code for OAuth2 for issuing tokens (from server side) and requesting tokens (from client side). Apart from parsing the JSON value that's returned from the token endpoint (and you are using a generic parser there, right?), nothing changes here. The part where you *use* the token to access a protected resource (client), or *validate* a request to a protected resource (server) changes significantly, yes. But that's only a small part of the process.


That makes sense, sorry I was not clear on what I said did not make sense, which was "simplifying the setup below"

As a client developer, adding MAC to the mix *increases* my code base as it is yet another protocol to understand and implement against. OAuth 1.0A and OAuth 2.0 bearer are not going to go away.

-- Dick

v2.23.0 | Report a Bug | By Email