Re: [OAUTH-WG] Signatures, Why?
John Kemp <john@jkemp.net> Tue, 16 March 2010 14:09 UTC
Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C4C03A682A for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 07:09:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ha2w8R-9UJp3 for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 07:09:42 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id C29E33A692F for <oauth@ietf.org>; Tue, 16 Mar 2010 07:09:35 -0700 (PDT)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o2GE9FBX017437; Tue, 16 Mar 2010 16:09:38 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 16 Mar 2010 16:09:34 +0200
Received: from [172.16.1.226] ([131.228.1.90]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 16 Mar 2010 16:09:33 +0200
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <4B9F29BC.3010709@alcatel-lucent.com>
Date: Tue, 16 Mar 2010 15:45:05 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C39FEB3C-4975-4DEB-9D42-E0AF3F143FC7@jkemp.net>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im> <4B99D783.1090905@lodderstedt.net> <4B9EB99F.1050609@lodderstedt.net> <cb5f7a381003152322m5c6ec744nb8336e329860439e@mail.gmail.com> <b71cdca91003152330p74409dc5ua34fb4ef06702a15@mail.gmail.com> <4B9F29BC.3010709@alcatel-lucent.com>
To: igor.faynberg@alcatel-lucent.com
X-Mailer: Apple Mail (2.1077)
X-OriginalArrivalTime: 16 Mar 2010 14:09:33.0270 (UTC) FILETIME=[4D6F3F60:01CAC512]
X-Nokia-AV: Clean
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 14:09:44 -0000
On Mar 16, 2010, at 8:48 AM, Igor Faynberg wrote: > That's what I have been thinking. Why is it important to sign the headers? (I am not against signing them, but I cannot see the need in the specific cases we had discussed. In other words, if I had signed the body of the request, I probably would not care if someone changed the headers.) Would you care if some proxy or other intermediary changed the contents of the Authorization HTTP header? How about if they changed the URL path passed or the HTTP method from GET to POST? Which other HTTP headers might you wish to be carried through intermediaries with the property of integrity? Regards, - johnk > > Igor > > Paul Lindner wrote: >> What about http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html ? >> >> That's in use and has been implemented in shindig for quite some time. >> >> That draft adds protection of the body -- I don't know of any draft that covers signing the headers... >> >> >> On Mon, Mar 15, 2010 at 11:22 PM, John Panzer <jpanzer@google.com <mailto:jpanzer@google.com>> wrote: >> >> I'm confused by one "pro" for signatures: >> >> "Protect integrity of whole request - authorization data and >> payload when communicating over unsecure channel" >> >> I do not believe there is an existing concrete proposal that will >> protect the whole request, unless you add additional restrictions >> on the request types -- e.g., only HTTP GET or POST with >> form-encoded data variables only. >> >> If the assertion is that signatures will actually provide >> integrity for arbitrary HTTP request bodies as well as the URL, >> authority, and HTTP method: I would like to see at least one >> concrete proposal that will accomplish this. IIRC there's only >> one that I think is possibly implementable in an interoperable >> way, and it supports only JSON payloads. In other words, anyone >> using body signing would need to wrap their data in JSON to do it. >> (This is not necessarily the worst thing in the world, of course, >> but it is something to be taken into account when listing pros and >> cons.) >> >> On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt >> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >> >> Hi all, >> >> I composed a detailed summary at >> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy. >> Please review it. >> >> @Zachary: I also added some of your recent notes. >> >> regards, >> Torsten. >> >>> I volunteer to write it up. >>>> <hat type='chair'/> >>>> >>>> On 3/4/10 1:00 PM, Blaine Cook wrote: >>>> >>>>> One of the things that's been a primary focus of both today's WG call >>>>> and last week's call is what are the specific use cases for >>>>> signatures? >>>>> >>>>> - Why are signatures needed? >>>>> - What do signatures need to protect? >>>>> >>>>> Let's try to outline the use cases! Please reply here, so that we have >>>>> a good idea of what they are as we move towards the Anaheim WG. >>>>> >>>> This was a valuable thread. Perhaps someone could write up a summary of >>>> the points raised, either on the list or at the wiki? >>>> >>>> Peter >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- [OAUTH-WG] Signatures, Why? Blaine Cook
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Leif Johansson
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Peter Saint-Andre
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Paul Lindner
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Eve Maler