IETF Logo Mail Archive

Re: [OAUTH-WG] Signature crypto

Breno <breno.demedeiros@gmail.com> Fri, 04 December 2009 18:17 UTC

Return-Path: <breno.demedeiros@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19FD328C0EF for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 10:17:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zlGJBnUkqm4 for <oauth@core3.amsl.com>; Fri, 4 Dec 2009 10:17:12 -0800 (PST)
Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id F3D8128C0E9 for <oauth@ietf.org>; Fri, 4 Dec 2009 10:17:11 -0800 (PST)
Received: by yxe30 with SMTP id 30so2674149yxe.29 for <oauth@ietf.org>; Fri, 04 Dec 2009 10:17:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=9j7P5PABD+z6obpboODaEpYJM8W9IVSWV5OxHOtoyyY=; b=j5h/cl0a4Ujzdz4+1tygFSEdJRz/iP+m0/GAN4JJoPojUZ2mf46GA8vfVkNalFil4Z ObY4ekipEwkOobEGLC1zgdjUpudJ5DjBX/XBo+owv6NX5lJUzDffPb4Y0xef99m6RGo5 loTJeIo31crmsJlUnX4m6qxPqDa/bXpmMpiRY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xsFTrih0xPcHX4a4xvMh3wF4i9xiwYKhq92E2C+TZmwGlyjU5UUR8vyI4OFtgc06RP LB+P85b6HXoco2i6FCmLjLoBM786dQ1q87d3+pQvRkdunV3Vd8r08grNkYfEPI/ZdLES 4acO8AVGD2C3cN37AOmHumjUNvibU0/GU4Ci0=
MIME-Version: 1.0
Received: by 10.101.7.28 with SMTP id k28mr4423039ani.49.1259950611560; Fri, 04 Dec 2009 10:16:51 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785293671@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343785183009@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B0D3698.8070706@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E72343785209782@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B0D5EE1.9000309@cs.tcd.ie> <90C41DD21FB7C64BB94121FBBC2E723437852097FC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E1124A7241F7@WSMSG3153V.srv.dir.telstra.com> <90C41DD21FB7C64BB94121FBBC2E72343785293671@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 04 Dec 2009 10:16:51 -0800
Message-ID: <f98165700912041016k10366b88tb001f7700405083f@mail.gmail.com>
From: Breno <breno.demedeiros@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="001636c92cc8a2f8900479eb1c34"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signature crypto
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2009 18:17:13 -0000

While there are technical merits, both from security and performance
standpoints, to the alternative MAC proposals, there is not extensive
library support for those, and AFAIK they have little usage in the Internet.
I am not sure if it makes sense for OAuth to be on the leading edge in terms
of MAC algorithm adoption.

On Fri, Dec 4, 2009 at 10:07 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> Is there actual demand to make the HMAC method more generic to allow other
> kinds of MAC?
>
> EHL
>
> > -----Original Message-----
> > From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
> > Sent: Thursday, November 26, 2009 7:43 PM
> > To: Eran Hammer-Lahav; Stephen Farrell
> > Cc: OAuth WG (oauth@ietf.org)
> > Subject: RE: [OAUTH-WG] Signature crypto
> >
> > >> Sounds reasonable if all you need to negotiate are hash algorithm
> names.
> > >> Is that the case?
> >
> > > Yes.
> >
> > Not quite.
> > OAuth (at least the authentication part) mainly needs a MAC algorithm,
> not a
> > hash algorithm.
> > HMAC is one popular MAC algorithm that is build from a hash algorithm.
> > However, there are other MAC algorithms — based on block ciphers for
> > instance (eg CMAC-AES).
> > The hash registry http://www.iana.org/assignments/hash-function-text-
> > names/ is not really going to help.
> >
> > P.S. The body-signing OAuth extension is the one place that uses a hash
> (not
> > a MAC) directly.
> >
> > James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Breno de Medeiros

v2.23.0 | Report a Bug | By Email