Re: [OAUTH-WG] why are we signing?
Eran Hammer-Lahav <eran@hueniverse.com> Wed, 02 December 2009 18:19 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5109E3A6359 for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 10:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3W38Z8HWC++M for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 10:19:37 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E6B5C3A68C1 for <oauth@ietf.org>; Wed, 2 Dec 2009 10:19:36 -0800 (PST)
Received: (qmail 947 invoked from network); 2 Dec 2009 18:19:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Dec 2009 18:19:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 2 Dec 2009 11:19:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Panzer <jpanzer@google.com>, Prateek Mishra <prateek.mishra@oracle.com>
Date: Wed, 02 Dec 2009 11:19:38 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: Acpzd9lU/sD+LKvUQhOn0+DpNqexCQABCBmA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234378520A203@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com> <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1637EB.5080502@cs.tcd.ie> <4B16855C.90209@oracle.com> <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
In-Reply-To: <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234378520A203P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 18:19:44 -0000
And we are always looking for people to write those... EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Panzer Sent: Wednesday, December 02, 2009 9:49 AM To: Prateek Mishra Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] why are we signing? It requires a security considerations section :). -- John Panzer / Google jpanzer@google.com<mailto:jpanzer@google.com> / abstractioneer.org<http://abstractioneer.org> / @jpanzer On Wed, Dec 2, 2009 at 7:18 AM, Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracle.com>> wrote: Stephen, +1 from our side. Here is a newbie question: does the IETF process require a discussion of threats and countermeasures as part of the specification? - explaining the specific situations that rely on SSL or signing and what the consequences of "turning it off" might be... - prateek I think we'll need an analysis of where we end up wanting TLS for the protocols we produce. I wouldn't expect any big surprises, but right now I don't think we can be sure since things seems to be in flux to some extent. Then, I'd be for saying that TLS MUST be used for those operations. However, I can well believe that there may be some niches where using TLS isn't easy, so I could live with something like: it MUST be possible to use TLS, and that deployments SHOULD use it, with guidance as to the type of scenario where we think TLS really has to be turned on, and maybe text about why sometimes people can't do that. So I don't think we can finish this discussion at this stage. S. Eran Hammer-Lahav wrote: <smiling but not joking> I would like to make an official request to the chair for a consensus call on recommending SSL but keeping it optional in the various OAuth components. We can figure out how strong to make the language (or how scary), and we may make it mandatory in some flows/profiles, but I would like to be done with this discussion (for the n time). If someone will want to raise new arguments, well, this is the IETF so who can stop them? :-) EHL -----Original Message----- From: Dick Hardt [mailto:Dick.Hardt@microsoft.com<mailto:Dick.Hardt@microsoft.com>] Sent: Tuesday, December 01, 2009 9:51 PM To: Brian Eaton Cc: Eran Hammer-Lahav; Peter Saint-Andre; <ext@core3.amsl.com<mailto:ext@core3.amsl.com>>; Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] why are we signing? On 2009-12-01, at 5:46 PM, Brian Eaton wrote: On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: Getting a Class 1 cert from the likes of StartSSL is easy as pie these days. IMHO there is no excuse for not deploying SSL if you care one whit about security. The problem is that too many small-scale developers (and big companies!) simply don't care. Don't care, don't need that much security, don't understand it, etc. Bottom line is that requiring SSL is certain to fork this work if not done right. Note, however, that someone who can't get SSL working and still deploys OAuth has basically no security against eavesdroppers or MITM attacks, and certainly can't expect OAuth to provide it. The issues are in the token issuance phase: these organizations are sending user passwords and session cookies in clear text! OAuth is the least of their security concerns, If the cost of SSL outweighs the risk of a security breach, then why would a developer deploying OAuth choose to sign their messages rather then use the simpler bearer token? Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I think that is a good question. Perhaps it should be RECOMMENDED, and deployments can make their own benefit analysis. -- Dick _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)