IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

George Fletcher <gffletch@aol.com> Tue, 01 December 2009 19:22 UTC

Return-Path: <GFFletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A3183A696E for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 11:22:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MA7KmunP9xYU for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 11:22:01 -0800 (PST)
Received: from imr-ma02.mx.aol.com (imr-ma02.mx.aol.com [64.12.206.40]) by core3.amsl.com (Postfix) with ESMTP id D9DD53A6959 for <oauth@ietf.org>; Tue, 1 Dec 2009 11:21:58 -0800 (PST)
Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202]) by imr-ma02.mx.aol.com (8.14.1/8.14.1) with ESMTP id nB1JLPW2016981; Tue, 1 Dec 2009 14:21:25 -0500
Received: from GFFletch@aol.com by imo-da04.mx.aol.com (mail_out_v42.5.) id o.c45.4059df91 (37258); Tue, 1 Dec 2009 14:21:20 -0500 (EST)
Received: from palantir.local ([10.181.87.216]) by cia-ma07.mx.aol.com (v126.13) with ESMTP id MAILCIAMA078-918a4b156cb0248; Tue, 01 Dec 2009 14:21:20 -0500
Message-ID: <4B156CB0.5040001@aol.com>
Date: Tue, 01 Dec 2009 14:21:20 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Mike Malone <mjmalone@gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com> <cb5f7a380912010852j3251199dse8d10da469dafa@mail.gmail.com> <a9d9121c0912011022p746e187fn1ff8240dbcdde096@mail.gmail.com>
In-Reply-To: <a9d9121c0912011022p746e187fn1ff8240dbcdde096@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AOL-IP: 10.181.87.216
X-Mailer: Unknown (No Version)
X-AOL-SENDER: GFFletch@aol.com
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 19:22:04 -0000

In addition to the use case Mike gave, I have seen at least two other 
use cases of having the "proxy" sign the URL and then present over HTTP.
1. an iGoogle gadget that wants to launch an iframe with a URL that 
carries specific identity & authorized rights
2. a rich/desktop application want to launch a browser in an 
authenticated/authorized state (i.e. client-to-browser SSO)

I also haven't seen anyone bring up the "restricted device" use case 
yet:) I do work with a product team that refuses to use SSL because of 
the memory, load time, and CPU requirements. Curious if any in the 
mobile device environment see the requirement of SSL an issue? 
Potentially not given most devices these days have a browser.

Thanks,
George

Mike Malone wrote:
> On Tue, Dec 1, 2009 at 8:52 AM, John Panzer <jpanzer@google.com> wrote:
>   
>> On Mon, Nov 30, 2009 at 2:32 PM, Mike Malone <mjmalone@gmail.com> wrote:
>>     
>>> On Mon, Nov 30, 2009 at 11:17 AM, Dick Hardt <Dick.Hardt@microsoft.com>
>>> wrote:
>>>       
>>>> On 2009-11-13, at 7:21 AM, Eran Hammer-Lahav wrote:
>>>>         
>>>>> I for one, see great value in offering some form of crypto-based
>>>>> security for cases where TLS is not suitable.
>>>>>           
>>>> Are these use cases enumerated somewhere?
>>>>         
>>> I'm not completely opposed to the TLS route, but since you asked...
>>> off the top of my head, here are a couple drawbacks to using TLS
>>> instead of signing:
>>>  - Bigger burden on developers who need to debug this stuff (i.e.,
>>> you can't sniff your own traffic to debug requests & responses).
>>>  - Properly setting up TLS can be complicated and expensive. For
>>> developers who don't have a lot of ops skills the barrier may be too
>>> high.
>>>  - You can no longer pass around signed URLs as another level of
>>> delegation (a use case that I use regularly for making XHR & POST
>>> requests from the browser). This could be a non-issue if some other
>>> mechanism for fourth-party delegation existed.
>>>
>>>       
>> Can you elaborate on the above?  For OAuth, signatures (bound to a
>> particular Consumer Secret that can't be leaked to subcontractors) is a
>> barrier to multi-level delegation.
>>     
>
> Right, but you can do poor-man's delegation by signing a URL and
> passing it off to a third (er, fourth) party to use. I've seen this
> most often with web apps, where the app (the OAuth Consumer) wants to
> make a request to the Provider directly from the browser (e.g.,
> POSTing a large file). They can't sign the URL in javascript without
> compromising the Consumer Secret, so the the URL is signed server side
> and passed to the browser for use.
>
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email