Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 08 February 2011 15:46 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E7DE53A67FB for <oauth@core3.amsl.com>; Tue, 8 Feb 2011 07:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9HoBbItKN77 for <oauth@core3.amsl.com>; Tue, 8 Feb 2011 07:46:25 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id AC0D93A67E5 for <oauth@ietf.org>; Tue, 8 Feb 2011 07:46:23 -0800 (PST)
Received: (qmail 12311 invoked from network); 8 Feb 2011 15:46:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 8 Feb 2011 15:46:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 8 Feb 2011 08:46:23 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Skylar Woodward <skylar@kiva.org>
Date: Tue, 08 Feb 2011 08:46:09 -0700
Thread-Topic: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Thread-Index: AcvHbixZvFmeCygKRrS/vly66OXzxgAOOMDg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723445A90BFE6C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <5A4C1B6B-7D51-4D12-A468-5A5991D72DCB@kiva.org> <90C41DD21FB7C64BB94121FBBC2E723445A90BFDDA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <8B90B5BF-913C-402C-8A51-757B93EFD108@kiva.org>
In-Reply-To: <8B90B5BF-913C-402C-8A51-757B93EFD108@kiva.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2011 15:46:26 -0000
While important, the body is not always available for inspection and hashing. All the parameters normalization is done to ensure it will be possible on even the most limited platform. The same cannot be done for the body. That's why it is optional. EHL > -----Original Message----- > From: Skylar Woodward [mailto:skylar@kiva.org] > Sent: Tuesday, February 08, 2011 12:57 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > > This authentication method comes with well understood security > properties. By making query parameters optional because of developer > ease, providers will be giving up an important part of the protection this > protocol offers. This is especially true for the majority of APIs where query > parameters are critical to the request integrity. > > Is the same then not true of content body? Why require one and not the > other? Either you trust providers to decide when the content/parameter > portions of a request (or an API) are critical to request integrity, or you don't. > > With that argument you should just require a body hash and be done with it. > What's the argument to make it an optional part of the base string?
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Michael D Adams
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav