Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 12 May 2014 18:03 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7E5A1A0745 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 11:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZyZlA7iM2b7 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 11:03:02 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 87E891A0741 for <oauth@ietf.org>; Mon, 12 May 2014 11:03:02 -0700 (PDT)
Received: from [192.168.10.142] ([80.92.122.106]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M1Fe4-1X3uHl2a5I-00tBLB; Mon, 12 May 2014 20:02:54 +0200
Message-ID: <53710CC9.2000600@gmx.net>
Date: Mon, 12 May 2014 20:02:49 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>, OAuth WG <oauth@ietf.org>
References: <CAOBb0SLV0iX3TREx0kOxvoiUUau3us6YW4jQwzFT8Vz1Aq6Miw@mail.gmail.com> <9378C75B-2146-4E8D-BDD6-B4F495C52B84@oracle.com>
In-Reply-To: <9378C75B-2146-4E8D-BDD6-B4F495C52B84@oracle.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="4mxT4S8hbvtTT2SLGdFo3MUFrs19QfEfR"
X-Provags-ID: V03:K0:HhK5LKTG/LKwR6qjeESD2HNf3rvZB42FIjgV53KftRNECPqt+Fg FnEJ9Ke0BFswCPbiLquZm1qX7zqGrxLIS16O3MELk4BgTpj6pPGZp9e/0xbFhHZWTHwa+HF EeMq7JGVSxzx9bP3wUPrGb5woBMfhki2VS8X0d2VDcq5+uJ7t9pnfG6JZC+YNYhl/YcHvSx J/IzuHJlLqbZ8krYOYbUg==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/h-OfjNmNqVsVbO6ky5oFPkVUD64
Cc: blair.strang@covata.com
Subject: Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 18:03:05 -0000
Hi Phil, Hi Blair, this is a good point. I also don't see a reason why the HTTP protocol version should be included in the keyed message digest (from a security point of view). It might, however, be worthwhile to point out that we are exploring different solution directions, as described in this slide deck http://www.tschofenig.priv.at/oauth/IETF-OAuth-PoP.pptx For this reason it might be interesting to know what AWS implements. Do you guys have a reference? Ciao Hannes On 05/09/2014 05:47 AM, Phil Hunt wrote: > Fyi > > Phil > > Begin forwarded message: > >> *From:* Blair Strang <blair.strang@covata.com >> <mailto:blair.strang@covata.com>> >> *Date:* May 8, 2014 at 18:47:58 PDT >> *Resent-To:* hannes.tschofenig@gmx.net >> <mailto:hannes.tschofenig@gmx.net>, jricher@mitre.org >> <mailto:jricher@mitre.org>, phil.hunt@yahoo.com >> <mailto:phil.hunt@yahoo.com>, wmills@yahoo-inc.com >> <mailto:wmills@yahoo-inc.com> >> *To:* draft-ietf-oauth-v2-http-mac@tools.ietf.org >> <mailto:draft-ietf-oauth-v2-http-mac@tools.ietf.org> >> *Subject:* *HTTP protocol version in MAC signatures* >> >> Hi, >> >> [Not sure if this is the right address to submit this feedback to] >> >> Looking >> over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 section 5.2. >> "MAC Input String", it seems that the HTTP request line is used >> verbatim during the construction of MAC tokens. >> >> Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it >> seems that HTTP proxies which run different protocol versions on each >> leg will break signatures. >> >> I would recommend removing the HTTP version from the MAC. The >> transport is inherently a "per hop" type of thing, while request >> signatures are conceptually "end to end". >> >> I am not aware of any specific security benefits derived from >> including the HTTP protocol version in the MAC input string. This may >> be why AWS version 2 and AWS version 4 signatures do not include it. >> >> Thanks and regards, >> >> Blair. >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Fwd: HTTP protocol version in MAC sign… Phil Hunt
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Blair Strang
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Justin Richer
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Bill Mills
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Prateek Mishra
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Sergey Beryozkin