IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Signature

Nat Sakimura <sakimura@gmail.com> Tue, 27 July 2010 22:34 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 767C328C100 for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 15:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5szbO-0TynG for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 15:34:57 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 240E228C0EF for <oauth@ietf.org>; Tue, 27 Jul 2010 15:34:57 -0700 (PDT)
Received: by iwn38 with SMTP id 38so4361617iwn.31 for <oauth@ietf.org>; Tue, 27 Jul 2010 15:35:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=GRLCsQyYpML0lyobMAFZOlcEt9QwJjn2ZMta42lnlfM=; b=TvAjZr05kD5v08OtINRmRbIUBTsH7uIaiR1wxLGIUJMs0U5fM99KrUPiPth/qsh2X4 voD6RnLq7IFLVMfsS0z+WupQLwfko2cbe90wO28EMZeO6KBXOGgFllMJULax26iPcLWt Li/yxAYQcYmLGRa5ZYn1cwaJJ/nf1wSAbCU5k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Omka9PSPUEoB4hbAfEuiYKGNhkQA8LpdH0p7uFs25FNkRIsBR28JIfAx3uG0W0/s5S zlAW89Cqhwh11WKR+5RuSBjfAPBtLcSXsRwxslG08SJWx3MtZ+0sJgoeRDAmD26lVxyh 3a2+4u9hDDtuuMdO07u6PsR1X23sdO9jtA/Rc=
MIME-Version: 1.0
Received: by 10.231.146.141 with SMTP id h13mr11232686ibv.1.1280270118574; Tue, 27 Jul 2010 15:35:18 -0700 (PDT)
Received: by 10.231.158.67 with HTTP; Tue, 27 Jul 2010 15:35:18 -0700 (PDT)
In-Reply-To: <AANLkTikStNbY_qQr0vivO80HRNyxMpuBtaA799CwG_n9@mail.gmail.com>
References: <AANLkTi=XYFSVeNxA43k+zYwt6yoGDtioa3kR47eaNYB+@mail.gmail.com> <AANLkTikStNbY_qQr0vivO80HRNyxMpuBtaA799CwG_n9@mail.gmail.com>
Date: Wed, 28 Jul 2010 07:35:18 +0900
Message-ID: <AANLkTi=uxiXSD5AQc9Ugz2j1GrLtzZB0uK5gey-mdFac@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Dirk Balfanz <balfanz@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 22:34:58 -0000

On Wed, Jul 28, 2010 at 1:12 AM, Dirk Balfanz <balfanz@google.com> wrote:
>
>
> On Tue, Jul 27, 2010 at 12:34 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>>
>> I have a fundamental question.
>>
>> While separating signature and payload by a dot "." seems ok,
>> I still have not the answer for the question "why not make everything
>> into JSON and base64url it?".
>>
>> i.e., Right now, you are proposing:
>>
>> base64url_encode(JSON(payload,envelope)).base64url_encode(signature)
>>
>> Why not
>>
>> base64url_encode(JSON(payload,envelope,signature)
>
> You need to say what exactly the signature is over. Presumably, it's over
> some representation of the payload and envelope, but you need to specify
> exactly which representation. So in this case you would have to say
> something like "the signature is over the concatenation of the
> base64-encodings of the JSON-encodings of the payload and envelope", or
> something along those lines. If you did exactly this, then you would base-64
> encode twice. Similar issues come up if you change the definition of what
> the signature is over slightly.

I did not spell out my question correctly. The pseudo code was very misleading.
By "JSON()" I was meaning something similar to magic signature json encoding
or something similar because I was mainly comparing JSON Token and
Magic Signature.
Of course, that cannot be read from what I wrote. Sorry for that.

My question is:
"why not just use a profiled/modified version of Magic Signature"

I do not want to have two signature methods.
If the currently proposed signature method can be unified with magic signature,
it would be great.

>
>>
>> It probably is less hassle in terms of coding. (It is true that some
>> parameters gets base64url encoded twice but
>
> How is encoding things twice "less hassle"?
>
>>
>> BTW, some of the envelope parameters such as alg needs to be signed as
>> well to thwart the algorithm replacing attack.
>
> Yes, of course. Remember that in the current proposal I don't have an
> envelope - everything is in the payload. That's partly because I didn't want
> to decide what gets signed and what doesn't - everything is signed. Which in
> this case is easy (alternatively, I guess, you could just say that both the
> envelope and the payload are signed). But it gets harder when you want to
> encrypt the token. In this case you really need to leave some parts
> unencrypted (so the recipient has _some_ information on how to decrypt the
> thing) - presumably those parts would go into an envelope.
> Dirk.
>
>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>
>



-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en

v2.35.0 | Report a Bug | By Email | System Status