IETF Logo Mail Archive

Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

Justin Richer <jricher@mitre.org> Fri, 24 September 2010 13:43 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DAE03A6AAE for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 06:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.494
X-Spam-Level:
X-Spam-Status: No, score=-6.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKSs4G3-68tv for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 06:43:58 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 090693A69C8 for <oauth@ietf.org>; Fri, 24 Sep 2010 06:43:57 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o8ODiT4e000621 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:44:29 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o8ODiTJg000616; Fri, 24 Sep 2010 09:44:29 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server id 8.2.254.0; Fri, 24 Sep 2010 09:44:28 -0400
From: Justin Richer <jricher@mitre.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <C8C16037.3AC75%eran@hueniverse.com>
References: <C8C16037.3AC75%eran@hueniverse.com>
Content-Type: text/plain; charset="UTF-8"
Date: Fri, 24 Sep 2010 09:44:28 -0400
Message-ID: <1285335868.15179.98.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 8bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 13:43:59 -0000

> If it wasn’t clear, the reason why I am back at fighting for this
> after taking a break for a few months, is based on the recent positive
> experience from the Twitter migration. To me, it completely voids the
> arguments that normalization on the client side is too hard.

I wholeheartedly disagree with this statement. OAuth 1.0(a) libraries
have been around for a few years, and are now available on most every
platform. The bugs have already been ironed out, and that wasn't easy to
do. Even so, it can still be tricky to get client libraries to behave in
some frameworks, and the biggest problem is the fact that the server has
to guess what the client thought it signed when trying to build the
signature. 

I think that any signature method that we end up using needs to rely
less on magic and anecdote and more on explicit declaration. I think
that Brian Eaton's approach of sending the bare string that was signed,
which was also a JSON element that could be parsed and validated, was an
essential simplification. Even OpenID states which of the parameters on
the request were signed, which makes it easier to validate. 

In short, I am against anything that requires guessing on the part of
the receiver of a request. 

 -- Justin

v2.23.0 | Report a Bug | By Email