Re: [OAUTH-WG] MAC Discussion
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 August 2012 19:17 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 182BA21F8667 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 12:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.299
X-Spam-Level:
X-Spam-Status: No, score=-5.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5RR-asMlZrR for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 12:17:53 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 98E0F21F8661 for <oauth@ietf.org>; Tue, 14 Aug 2012 12:17:53 -0700 (PDT)
Received: from mail21-tx2-R.bigfish.com (10.9.14.254) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Tue, 14 Aug 2012 19:17:53 +0000
Received: from mail21-tx2 (localhost [127.0.0.1]) by mail21-tx2-R.bigfish.com (Postfix) with ESMTP id 0C6E4140252; Tue, 14 Aug 2012 19:17:53 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -32
X-BigFish: VS-32(zz98dI9371I936eI542M1432Izz1202hzz1033IL8275bh8275dh5eeeKz2fh2a8h668h839h944hd25hf0ah107ah)
Received-SPF: pass (mail21-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail21-tx2 (localhost.localdomain [127.0.0.1]) by mail21-tx2 (MessageSwitch) id 1344971870805703_28690; Tue, 14 Aug 2012 19:17:50 +0000 (UTC)
Received: from TX2EHSMHS013.bigfish.com (unknown [10.9.14.249]) by mail21-tx2.bigfish.com (Postfix) with ESMTP id B6F8046004B; Tue, 14 Aug 2012 19:17:50 +0000 (UTC)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS013.bigfish.com (10.9.99.113) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 14 Aug 2012 19:17:50 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.132]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0309.003; Tue, 14 Aug 2012 19:17:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, "Richer, Justin P." <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] MAC Discussion
Thread-Index: AQHNdsXn/N1vnRKT7kuk2AFf6v8iNZdTIR+AgAAlbQCABm1LEA==
Date: Tue, 14 Aug 2012 19:17:38 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366777949@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <D1D2FF69-B27F-40DB-A774-64772B4BC4B2@gmx.net> <B33BFB58CCC8BE4998958016839DE27E067DF3E7@IMCMBX01.MITRE.ORG> <6C75E137-2C30-4D74-AABE-EB4D97C5B56F@oracle.com>
In-Reply-To: <6C75E137-2C30-4D74-AABE-EB4D97C5B56F@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.79]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC Discussion
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 19:17:55 -0000
Replying to Justin's point about the OpenID Connect signed request object, Justin, I don't believe this comparison is accurate. When an OpenID Request Object is signed, a single, self-contained object is being signed. The signing described in the MAC spec signs a combination of payload elements and transport elements. It's a testament to the complexity of this approach that Eran kept changing which elements were signed and which weren't in successive drafts. Signing an OpenID Connect Request Object is simple (just apply JWS). Signing using the MAC algorithm is an exercise left to the reader... -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt Sent: Friday, August 10, 2012 10:03 AM To: Richer, Justin P. Cc: oauth@ietf.org WG Subject: Re: [OAUTH-WG] MAC Discussion There's no reason why the spec, or key elements of it can't be re-used. But to assume it should be "THE" spec, goes against previous formal consensus (can't remember if it was Quebec or Paris meeting) and jumps the gun on defining what the problem is. If we jump into a spec without defining the problem, we're guessing. What I saw of the previous email discussion was a lot of circular debate indicating no clear problem definition. I agree, it would be nice to re-use code from previous implementations. But that strikes me as an issue to raise when we discuss the implementation based upon future consensus of the problem. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2012-08-10, at 7:49 AM, Richer, Justin P. wrote: > > On Aug 10, 2012, at 3:00 AM, Hannes Tschofenig wrote: > >> Justin wrote: >> " >> I believe that there's value in per-message signing completely apart from the channel level encryption. >> " >> >> May well be. But we have to figure out what exactly the reasons are why there is value. > > Yes, there is value in this, and that's why we're collecting a handful of use cases to support this. Otherwise, people wouldn't keep reinventing this. See SAML and OpenID Connect's signed request object for other examples. > >> >> Bill wrote: >> " >> I find the idea of starting from scratch frustrating. MAC solves a set of specific problems and has a well defined use case. >> " >> >> This would be a very quick process if we had ever done our home work properly. > > It's not done, but it's not empty. Why throw it out? Whether or not we continue the draft itself or import its best ideas into a new draft is beside the point. > >> >> So, what are the problems it tries to solve? Yesterday I found an old presentation about MAC and the basic argument was that it has better performance than TLS. While that's true it is not a good argument per se. However, performance is not the only factor to look at and the negative performance impact caused by TLS is overrated. > > This is a red herring, as pointed out by other use cases. > >> >> Here is the slide set I am talking about: >> http://www.tschofenig.priv.at/Why_are_we_Signing.pdf >> >> In many cases I had noticed that more time was spent with the pictures (in slides and blog post) than with the content. That's not good IMHO. >> >> Bill, we can hardly call a specification "complete" if many of us don't know what problem it solves. John phrases it nicely as "Part of the problem with MAC has been that people could never agree on what it was protecting against." I am also interested in hearing about deployment constraints that people have. Blaine always said that many developers cannot get TLS to work. I am sure that's true but OAuth 2.0 requires TLS to be used anyway to secure the interaction with the authorization server. > > It solves this problem: How can I use the framework of OAuth to get a temporary signing key that I can use to protect HTTP messages with signing (without stuffing my parameters into a structured document like a SAML or JWT assertion)? There are many justifications for that problem and use cases that expand on this, but that's the core thing that the MAC does. > >> >> Note: I am not saying that we are not going to standardize something like the MAC token (maybe with different details) but let us spend a little bit of time to figure out what threats we want to deal with. > > It's not just about threats, it's about capabilities and features. > > -- Justin > >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] MAC Discussion Richer, Justin P.
- [OAUTH-WG] MAC Discussion Hannes Tschofenig
- Re: [OAUTH-WG] MAC Discussion Phil Hunt
- Re: [OAUTH-WG] MAC Discussion Mike Jones
- Re: [OAUTH-WG] MAC Discussion Justin Richer
- Re: [OAUTH-WG] MAC Discussion Nat Sakimura
- Re: [OAUTH-WG] MAC Discussion Hannes Tschofenig
- Re: [OAUTH-WG] MAC Discussion Sergey Beryozkin