IETF Logo Mail Archive

Re: [OAUTH-WG] MAC Tokens body hash

Phil Hunt <phil.hunt@oracle.com> Tue, 02 August 2011 05:50 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E4F21F8E12 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2011 22:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.378
X-Spam-Level:
X-Spam-Status: No, score=-3.378 tagged_above=-999 required=5 tests=[AWL=-0.780, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xo3sA9Lb6g3Z for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2011 22:50:54 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 164C121F8E10 for <oauth@ietf.org>; Mon, 1 Aug 2011 22:50:54 -0700 (PDT)
Received: from rtcsinet22.oracle.com (rtcsinet22.oracle.com [66.248.204.30]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p725ovK8001814 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Aug 2011 05:51:00 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by rtcsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p725oumo020096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Aug 2011 05:50:57 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p725opov019477; Tue, 2 Aug 2011 00:50:51 -0500
Received: from [192.168.1.8] (/24.87.204.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 01 Aug 2011 22:50:50 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-3--1050400694"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1312214803.15068.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Mon, 01 Aug 2011 22:50:48 -0700
Message-Id: <62E9072B-6687-4906-9241-717D6EBD8167@oracle.com>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1312213271.20715.YahooMailNeo@web31813.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E723450245F61F2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1312214803.15068.YahooMailNeo@web31801.mail.mud.yahoo.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: rtcsinet22.oracle.com [66.248.204.30]
X-CT-RefId: str=0001.0A090208.4E379045.000D,ss=1,re=-2.300,fgs=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 05:50:55 -0000

Agree.

-1 on removing the ext parameter.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2011-08-01, at 9:06 AM, William J. Mills wrote:

> I think the extended parameter still has use if someone extends the MAC stuff specifically, whcih the additional hash is useful for a data signature, that's off the cuff though without implementing somethign to try it out.
> 
> From: Eran Hammer-Lahav <eran@hueniverse.com>
> To: William J. Mills <wmills@yahoo-inc.com>; OAuth WG <oauth@ietf.org>
> Cc: Ben Adida <ben@adida.net>; "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>
> Sent: Monday, August 1, 2011 8:59 AM
> Subject: RE: [OAUTH-WG] MAC Tokens body hash
> 
> Would you still like to see both such app-specific payload hash AND the ext parameter? I’m thinking of taking your idea and dropping ext. This way, the application can define anything they want to put in the payload hash.
>  
> EHL
>  
> From: William J. Mills [mailto:wmills@yahoo-inc.com] 
> Sent: Monday, August 01, 2011 8:41 AM
> To: Eran Hammer-Lahav; OAuth WG
> Cc: Ben Adida; 'Adam Barth (adam@adambarth.com)'
> Subject: Re: [OAUTH-WG] MAC Tokens body hash
>  
> Instead of "body" hash why not make it a payload hash or additional hash.  The app can include a hash of data there as defined by the app, and you've reserved a spot for that.
>  
> From: Eran Hammer-Lahav <eran@hueniverse.com>
> To: OAuth WG <oauth@ietf.org>
> Cc: Ben Adida <ben@adida.net>; "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>
> Sent: Friday, July 29, 2011 6:43 PM
> Subject: [OAUTH-WG] MAC Tokens body hash
> I plan to drop support for the bodyhash parameter in the next draft based on bad implementation experience. Even with simple text body, UTF encoding has introduced significant issues for us. The current draft does not work using simple JS code between a browser and node.js even when both use the same v8 engine due to differences in the body encoding. Basically, the JS string used to send a request from the browser is not the actual string sent on the wire.
>  
> To fix that, we need to force UTF-8 encoding on both sides. However, that is very much application specific. This will not work for non-text bodies. Instead, the specification should offer a simple way to use the ext parameter for such needs, including singing headers. And by offer I mean give examples, but leave it application specific for now.
>  
> I am open to suggestions but so far all the solutions I came up with will introduce unacceptable complexity that will basically make this work useless.
>  
> EHL
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email