IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Signature Draft Pre 00

David Recordon <recordond@gmail.com> Mon, 27 September 2010 16:22 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A2113A69B7 for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xs3VL9UERFHJ for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:22:56 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id C73743A6AF3 for <oauth@ietf.org>; Mon, 27 Sep 2010 09:22:55 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5685185iwn.31 for <oauth@ietf.org>; Mon, 27 Sep 2010 09:23:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=mnPFcu1MNfTmnd1ACub1rAOHWZvxZeWNLTG4+0xqQb0=; b=Cech+kskLJmeKBUHPUWdCSfF4riEsLaIZ57QF4ZpRWYe0N0kJWlQtEu0S/fRmJV2+g gZ1gcuylhGwp0JUZ/k2TAphyRx8zIrF0K+N3sTJnaFLLMBDnLjV/cnzWCcU6t8o+JNcC nxIr7Ph9W3LN4Xl//icPeICv78EJoD/B9ismo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=TOx+pqkvGPOJOXBcaLkB7KSaLocUun71Lx/gvSW4+93zjw5v6fZEQKoil66aIiJBKH EAaxRaazVuUGDm2H3nQWN0ffPzVRFOBdc+ud010aoQqqaH591z7CzXVwbLusG5z8DH1m wkV0lTM1hHDDqxyF9QMy5ZQ3WN8SEsuIH3qEU=
MIME-Version: 1.0
Received: by 10.231.148.85 with SMTP id o21mr9444644ibv.26.1285604614785; Mon, 27 Sep 2010 09:23:34 -0700 (PDT)
Received: by 10.231.195.159 with HTTP; Mon, 27 Sep 2010 09:23:34 -0700 (PDT)
In-Reply-To: <1990A18DEA6E97429CFD1B4D2C5DA7E70C959D@TK5EX14MBXC101.redmond.corp.microsoft.com>
References: <AANLkTikSKX8jisucEbZOUnkGYUz0DnBSB_KWXGM3bJcS@mail.gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C62D263BB@TK5EX14MBXC111.redmond.corp.microsoft.com> <AANLkTinZbFmWcuALHnd5NFik8HRkKgH0AgMzFMgarrYX@mail.gmail.com> <AANLkTikhsE=Pcep09K7j=6Q0hbJMsssjf66ep103n9Oj@mail.gmail.com> <1990A18DEA6E97429CFD1B4D2C5DA7E70C959D@TK5EX14MBXC101.redmond.corp.microsoft.com>
Date: Mon, 27 Sep 2010 09:23:34 -0700
Message-ID: <AANLkTik6Jmc6bo8+ok3iFKEJ2grXZrmCXp+LOXM8Zf57@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="0016e6480d1e62c9d70491402673"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Signature Draft Pre 00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 16:22:57 -0000

Mike and Yaron's proposal is different from Nat's though. Nat's is based
directly around OAuth versus explicitly defining a separate signing
mechanism and then a second spec to map it into OAuth. It also supports
fewer options (no unsigned tokens for example) which makes it easier to
understand within this context. Dirk's now seems to be four specs which then
reference Magic Signatures for the underlying signing.


On Mon, Sep 27, 2010 at 9:17 AM, Anthony Nadalin <tonynad@microsoft.com>wrote:

>  So we have been working with Nat on the signature proposal and talking to
> Nat he agrees that the JWT proposal is well under way, what I would like to
> make sure is that we merged in with your proposal
>
>
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Dirk Balfanz
> *Sent:* Monday, September 27, 2010 9:13 AM
> *To:* David Recordon
> *Cc:* oauth
> *Subject:* Re: [OAUTH-WG] OAuth Signature Draft Pre 00
>
>
>
> I'm just as confused :-) I think what happened is that I posted a signature
> draft and then didn't follow up. Nat then very kindly agreed to help and put
> out a draft, but that also didn't get much momentum. So I went back and
> re-did my drafts. Also, somewhere along the way, Yoran wrote a draft. At
> least that's what it looks like from where I'm sitting. I might be getting
> it wrong (maybe Yoran's draft represents a merge of his and Nat's thinking?
> - I'm not sure).
>
>
>
> At any rate, of course we need to end up with one proposal in the end. I'm
> fairly agnostic about the details, but I believe the following should be
> true about any merged proposal:
>
>
>
> - very limited number of options for signature algorithms, key
> representations (should not require more than 10..20 lines of code in your
> given platform, without any additional library, to implement signature and
> key parsing).
>
> - must support both public and symmetric keys.
>
> - should not have security flaws
>
>
> Dirk.
>
> On Mon, Sep 27, 2010 at 6:59 AM, David Recordon <recordond@gmail.com>
> wrote:
>
> I'm a bit confused between the relationship of Nat's I-D and the documents
> you and Mike recently posted. Is the goal to have one I-D? Nat's seems to
> have fewer options and different modes which makes it easier to read and
> understand.
>
>
>
> On Mon, Aug 30, 2010 at 11:47 AM, Yaron Goland <yarong@microsoft.com>
> wrote:
>
>   BTW, Nat and I, as mentioned below, are talking. Here is my current
> draft. Please keep in mind that it's really just a set of notes trying to
> capture all the issues involved in creating a secure token format so it's a
> bit dense. My hope is that once all the issues are captured it can be
> completely re-written to be in something that looks more like English and is
> easier for actual implementers to follow. But for now I think it gives a
> good sense of the some of the security challenges in creating a secure token
> format.
>
>                 Yaron
>
>
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Nat Sakimura
> *Sent:* Tuesday, August 24, 2010 6:50 AM
> *To:* oauth
> *Subject:* [OAUTH-WG] OAuth Signature Draft Pre 00
>
>
>
> Hi.
>
>
>
> It has been a few weeks since then I volunteered to do this work.
>
> I have written up to this pre 00 draft then have been doing some reality
> checks on some script languages etc.
>
>
>
> No. This pre-00 draft is far from being feature complete.
>
> I still need to copy and paste the Magic Signatures text etc.
>
> Also, I should add how this spec is being used in some of the major flows.
>
>
>
> However, since I will not be able to work on it this week, I thought it
> would be worthwhile to share this early draft so that you have some clarity
> into the progress.
>
>
>
> Apparently, Yaron has been working on it as well. We will compare the notes
> and try to merge, I hope.
>
>
>
> So, here it is!
>
>
>
> #For those of you who have seen the private draft, it has not been changed
> since July 31.
>
>
>
> Best,
>
>
>
> =nat
>
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email