Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
Mark Nottingham <mnot@mnot.net> Thu, 08 October 2009 04:14 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D4E33A6823 for <oauth@core3.amsl.com>; Wed, 7 Oct 2009 21:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.31
X-Spam-Level:
X-Spam-Status: No, score=-6.31 tagged_above=-999 required=5 tests=[AWL=-3.711, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seE739QJ9ksb for <oauth@core3.amsl.com>; Wed, 7 Oct 2009 21:14:16 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 38F643A688C for <oauth@ietf.org>; Wed, 7 Oct 2009 21:14:14 -0700 (PDT)
Received: from chancetrain-lm.mnot.net (unknown [118.209.157.52]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id AB50A509DA; Thu, 8 Oct 2009 00:15:48 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1076)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343784D58457@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 08 Oct 2009 15:15:44 +1100
Content-Transfer-Encoding: 7bit
Message-Id: <5BFD6F3E-4A66-4C7B-98FF-8D2C286977B3@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D58457@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1076)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 04:14:17 -0000
Digging up some feedback I sent privately a long while back WRT problem reporting (so apologies if the drafts have move on since)... * Overall, I don't think that this is the right approach to solving these sorts of problems (or writing a protocol generally); while there is a place for error reporting, it's important to build more error avoidance into the protocol so that reporting isn't necessary. Instead of telling people what signature methods you accept after the fact, advertise it in the challenge. Instead of telling them that they need additional authentication in a parameter, use another challenge (or the first one). This is more declarative, avoids round-trips, and generally simplifies things. * version_rejected - What's with this? If you're talking about minor versions, changes should be backwards-compatible, so there's no need to barf. If you're talking about major versions, you should use a different scheme name, and let HTTP tell them that the auth scheme isn't supported. * parameter_absent - This is overkill; if your protocol is so complex that you need to do this, it's a very bad sign, and only serves to make the protocol *more* complex. Is there anything useful that a non- human recipient can do with this? * parameter_rejected - Unrecognised parameters should be ignored; see Postel. * token_revoked / token_rejected - What is the practical difference between these, if any? * user_refused - this seems very fuzzy. * oauth_acceptable_timestamps - this creates a race condition. If you really need to inform users of the window for timestamps (seems like a security risk to me, and in any case they often won't be able to do much about it, because any skew you see will be caused by network and processing on both ends), use a delta (e.g., '5' = +- five seconds). * Your parameter names are quite verbose (e.g., oauth_parameters_rejected); this, in combination with the fact that there are so many, may cause the header to be too large, and in any case is going to push some messages over packet boundaries. How about trimming them (e.g., params_rej)? Cheers, On 22/09/2009, at 6:40 AM, Eran Hammer-Lahav wrote: > http://tools.ietf.org/html/draft-ietf-oauth-authentication > http://tools.ietf.org/html/draft-ietf-oauth-web-delegation > > I plan to publish new revisions of the above drafts to include: > > * Error codes and optional debug information > * Cleanup of the authentication extensibility model > * Change the version / protocol extensibility model > > In addition to general feedback about the drafts, I am looking for > specific feedback on the following items which I plan to address in > the next drafts: > > * Drop core support for the RSA-SHA1 method > * Replace HMAC-SHA1 with HMAC-SHA256 > * Define the authentication parameters as method-specific (for > example, drop nonce and timestamp from PLAINTEXT) > * The proposed Problem Reporting extension [1], its richness and > complexity > * Making the HMAC signature method required for all server > implementations > * Changing the delegation flow to require HTTP POST instead of > recommending it > * Mandating server support for all three parameter transmission > methods > * Adding a token revocation endpoint > * Adding the ability for servers to declare their configuration > (methods, etc.) in the WWW-Authenticate header response > * The value of the client credentials (Consumer Key) and feedback > from actual implementation experience > > In order for your feedback to be included or considered for the next > revisions it must be received by 10/2 on the oauth@ietf.org list. > > EHL > > [1] http://wiki.oauth.net/ProblemReporting > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Mark Nottingham http://www.mnot.net/
- [OAUTH-WG] Request for feedback: OAuth IETF Draft… Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Peter Saint-Andre
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Chirag Shah
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Peter Saint-Andre
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Hubert Le Van Gong
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Peter Saint-Andre
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… John Panzer
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Chirag Shah
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Mark Nottingham
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… John Panzer
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Mark Nottingham
- Re: [OAUTH-WG] Request for feedback: OAuth IETF D… Igor Faynberg