Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
Justin Richer <jricher@mitre.org> Fri, 24 September 2010 13:43 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DAE03A6AAE for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 06:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.494
X-Spam-Level:
X-Spam-Status: No, score=-6.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKSs4G3-68tv for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 06:43:58 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 090693A69C8 for <oauth@ietf.org>; Fri, 24 Sep 2010 06:43:57 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o8ODiT4e000621 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:44:29 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o8ODiTJg000616; Fri, 24 Sep 2010 09:44:29 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server id 8.2.254.0; Fri, 24 Sep 2010 09:44:28 -0400
From: Justin Richer <jricher@mitre.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <C8C16037.3AC75%eran@hueniverse.com>
References: <C8C16037.3AC75%eran@hueniverse.com>
Content-Type: text/plain; charset="UTF-8"
Date: Fri, 24 Sep 2010 09:44:28 -0400
Message-ID: <1285335868.15179.98.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 8bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 13:43:59 -0000
> If it wasn’t clear, the reason why I am back at fighting for this > after taking a break for a few months, is based on the recent positive > experience from the Twitter migration. To me, it completely voids the > arguments that normalization on the client side is too hard. I wholeheartedly disagree with this statement. OAuth 1.0(a) libraries have been around for a few years, and are now available on most every platform. The bugs have already been ironed out, and that wasn't easy to do. Even so, it can still be tricky to get client libraries to behave in some frameworks, and the biggest problem is the fact that the server has to guess what the client thought it signed when trying to build the signature. I think that any signature method that we end up using needs to rely less on magic and anecdote and more on explicit declaration. I think that Brian Eaton's approach of sending the bare string that was signed, which was also a JSON element that could be parsed and validated, was an essential simplification. Even OpenID states which of the parameters on the request were signed, which makes it easier to validate. In short, I am against anything that requires guessing on the part of the receiver of a request. -- Justin
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes