IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 02 December 2009 18:19 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5109E3A6359 for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 10:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3W38Z8HWC++M for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 10:19:37 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E6B5C3A68C1 for <oauth@ietf.org>; Wed, 2 Dec 2009 10:19:36 -0800 (PST)
Received: (qmail 947 invoked from network); 2 Dec 2009 18:19:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Dec 2009 18:19:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 2 Dec 2009 11:19:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Panzer <jpanzer@google.com>, Prateek Mishra <prateek.mishra@oracle.com>
Date: Wed, 02 Dec 2009 11:19:38 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: Acpzd9lU/sD+LKvUQhOn0+DpNqexCQABCBmA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234378520A203@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com> <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1637EB.5080502@cs.tcd.ie> <4B16855C.90209@oracle.com> <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
In-Reply-To: <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234378520A203P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 18:19:44 -0000

And we are always looking for people to write those...

EHL

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Panzer
Sent: Wednesday, December 02, 2009 9:49 AM
To: Prateek Mishra
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] why are we signing?

It requires a security considerations section :).
--
John Panzer / Google
jpanzer@google.com<mailto:jpanzer@google.com> / abstractioneer.org<http://abstractioneer.org> / @jpanzer


On Wed, Dec 2, 2009 at 7:18 AM, Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracle.com>> wrote:
Stephen,

+1 from our side.

Here is a newbie question: does the IETF process require a discussion of threats and countermeasures
as part of the specification? - explaining the specific situations that rely on SSL or signing and what the consequences
of "turning it off" might be...

- prateek

I think we'll need an analysis of where we end up wanting TLS
for the protocols we produce. I wouldn't expect any big
surprises, but right now I don't think we can be sure since
things seems to be in flux to some extent.

Then, I'd be for saying that TLS MUST be used for those operations.
However, I can well believe that there may be some niches where
using TLS isn't easy, so I could live with something like: it MUST
be possible to use TLS, and that deployments SHOULD use it, with
guidance as to the type of scenario where we think TLS really
has to be turned on, and maybe text about why sometimes people
can't do that.

So I don't think we can finish this discussion at this stage.

S.

Eran Hammer-Lahav wrote:

<smiling but not joking>

I would like to make an official request to the chair for a consensus call on recommending SSL but keeping it optional in the various OAuth components. We can figure out how strong to make the language (or how scary), and we may make it mandatory in some flows/profiles, but I would like to be done with this discussion (for the n time).

If someone will want to raise new arguments, well, this is the IETF so who can stop them? :-)

EHL


-----Original Message-----
From: Dick Hardt [mailto:Dick.Hardt@microsoft.com<mailto:Dick.Hardt@microsoft.com>]
Sent: Tuesday, December 01, 2009 9:51 PM
To: Brian Eaton
Cc: Eran Hammer-Lahav; Peter Saint-Andre; <ext@core3.amsl.com<mailto:ext@core3.amsl.com>>;
Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?


On 2009-12-01, at 5:46 PM, Brian Eaton wrote:


On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav

<eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:

Getting a Class 1 cert from the likes of StartSSL is easy as pie
these days. IMHO there is no excuse for not deploying SSL if you
care one whit about security. The problem is that too many
small-scale developers (and big companies!) simply don't care.

Don't care, don't need that much security, don't understand it, etc.

Bottom line is that requiring SSL is certain to fork this work if not done right.

Note, however, that someone who can't get SSL working and still
deploys OAuth has basically no security against eavesdroppers or MITM
attacks, and certainly can't expect OAuth to provide it.  The issues
are in the token issuance phase: these organizations are sending user
passwords and session cookies in clear text!  OAuth is the least of
their security concerns,

If the cost of SSL outweighs the risk of a security breach, then why would a
developer deploying OAuth choose to sign their messages rather then use
the simpler bearer token?

Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I think
that is a good question. Perhaps it should be RECOMMENDED, and
deployments can make their own benefit analysis.

-- Dick

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email