Re: [OAUTH-WG] Signatures, Why?
"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Mon, 15 March 2010 18:08 UTC
Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 767F63A6C2C for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 11:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.008
X-Spam-Level:
X-Spam-Status: No, score=-1.008 tagged_above=-999 required=5 tests=[AWL=-1.010, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDIVTg+sVBEa for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 11:08:41 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id E646D3A6A60 for <oauth@ietf.org>; Mon, 15 Mar 2010 11:07:20 -0700 (PDT)
Received: from ihrh1.emsr.lucent.com (h135-1-218-53.lucent.com [135.1.218.53]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o2FI7Rn3011050; Mon, 15 Mar 2010 13:07:27 -0500 (CDT)
Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by ihrh1.emsr.lucent.com (8.13.8/emsr) with ESMTP id o2FI7RAZ018148; Mon, 15 Mar 2010 13:07:27 -0500 (CDT)
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.119]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Mon, 15 Mar 2010 13:07:27 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: Peter Saint-Andre <stpeter@stpeter.im>, "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 15 Mar 2010 13:07:25 -0500
Thread-Topic: [OAUTH-WG] Signatures, Why?
Thread-Index: AcrBkvkQFdi3501cRTmK75X6D7fOXQC1SBCA
Message-ID: <5710F82C0E73B04FA559560098BF95B124F0B2BC0B@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im>
In-Reply-To: <4B99B2DD.3000405@stpeter.im>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_5710F82C0E73B04FA559560098BF95B124F0B2BC0BUSNAVSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 18:08:46 -0000
My highlights of the points raised on this thread are as follows: A Client needs to sign a request for the temporary credentials to: * Authenticate to the server * Provide means for ensuring that a request has not been modified A Client needs to sign a request for the token credentials to: * Ensure that of all the legitimate Clients only the Client authorized by the Resource Owner can access the resource * Provide means for ensuring that a request has not been modified If a request is signed with the client's private key it can be used for providing non-repudiation; an alternative solution for non-repudiation would require involvement of a third party. There are use cases where non-repudiation is needed. TLS protects only a session, not the data that need to be re-used later. Unless the whole session has been recorded and its key has been stored, the TLS does not provide non-repudiation. It appears that there is a consensus in UMA community that signing should remain an option for enabling authentication and auditing. There are use cases for which performance of a TLS-based solution would be worse than that of the signature-based solution. The signatures are widely used for providing security over the insecure channels in today's implementations. There is a view that the signature-based method should remain an option for providing security over an insecure channel. Zachary -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Peter Saint-Andre Sent: Thursday, March 11, 2010 10:20 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] Signatures, Why? <hat type='chair'/> On 3/4/10 1:00 PM, Blaine Cook wrote: > One of the things that's been a primary focus of both today's WG call > and last week's call is what are the specific use cases for > signatures? > > - Why are signatures needed? > - What do signatures need to protect? > > Let's try to outline the use cases! Please reply here, so that we have > a good idea of what they are as we move towards the Anaheim WG. This was a valuable thread. Perhaps someone could write up a summary of the points raised, either on the list or at the wiki? Peter -- Peter Saint-Andre https://stpeter.im/
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- [OAUTH-WG] Signatures, Why? Blaine Cook
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Leif Johansson
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Jochen Hiller
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Peter Saint-Andre
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Dick Hardt
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Eve Maler
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? Paul Lindner
- Re: [OAUTH-WG] Signatures, Why? Igor Faynberg
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? John Kemp
- Re: [OAUTH-WG] Signatures, Why? Torsten Lodderstedt
- Re: [OAUTH-WG] Signatures, Why? Ethan Jewett
- Re: [OAUTH-WG] Signatures, Why? Brian Eaton
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures, Why? John Panzer
- Re: [OAUTH-WG] Signatures, Why? Eve Maler