Re: [OAUTH-WG] signatures, v2
Greg Brail <gbrail@sonoasystems.com> Thu, 22 July 2010 18:57 UTC
Return-Path: <gbrail@sonoasystems.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC8CC3A68DE for <oauth@core3.amsl.com>; Thu, 22 Jul 2010 11:57:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF2CMFP+GRs7 for <oauth@core3.amsl.com>; Thu, 22 Jul 2010 11:57:46 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 026F73A6829 for <oauth@ietf.org>; Thu, 22 Jul 2010 11:57:45 -0700 (PDT)
Received: by fxm1 with SMTP id 1so5019028fxm.31 for <oauth@ietf.org>; Thu, 22 Jul 2010 11:58:02 -0700 (PDT)
Received: by 10.103.181.10 with SMTP id i10mr731189mup.99.1279825082654; Thu, 22 Jul 2010 11:58:02 -0700 (PDT)
From: Greg Brail <gbrail@sonoasystems.com>
References: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
In-Reply-To: <AANLkTim7pvrLnQtz4WnDvYVRv0jbWgk3j8uMJj07CsM1@mail.gmail.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acskf/uNIcTdYtRwSDW+mHEpKrB3NwFTlU1A
Date: Thu, 22 Jul 2010 14:57:58 -0400
Message-ID: <79fcb9fe160d318b7fdc77e7671d4b0a@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001636416ce96d1fe4048bfe7f08"
Subject: Re: [OAUTH-WG] signatures, v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 18:57:48 -0000
I apologize since I have a feeling that this decision was made long ago but I'd like to understand... OAuth 1.0 had a secret associated with every token and used an HMAC to generate the signature. So, there is no way for an intermediary to see the token secret, regardless of whether SSL is used. OAuth 2.0 removed the token secret, which means that SSL must be used and any "legitimate" intermediaries like proxies and load balancers can see the token. We all agreed that this was a good thing and it greatly simplifies OAuth but it does eliminate some of the old OAuth 1.0 use cases. Are there still cases in which an API provider wishes to *avoid* using SSL, but still wants to ensure that a network eavesdropper or a legitimate intermediary cannot deduce the token and secret? I can imagine that such a mechanism might still be useful in environments where SSL is cost-prohibitive, such as for storage APIs that return very large data sets that are not sensitive enough to require SSL. For instance, Amazon uses something like OAuth 1.0 signatures in their AWS APIs. Does anyone have an idea whether they are still happy with that decision, or do they wish that they had just required SSL for everything? Is there any proposal to introduce an extension that works like the "old" OAuth 1.0 signature mechanism, including the usage of a token secret? Is that idea totally dead or just dormant? *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf Of *Dirk Balfanz *Sent:* Thursday, July 15, 2010 8:44 PM *To:* OAuth WG *Subject:* [OAUTH-WG] signatures, v2 Hi guys, after reading through the feedback, we did a pass over the OAuth signature proposals. As a reminder, there are three documents: - a document (called "JSON Tokens") that just explains how to sign something and verify the signature: http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4 - an extension of JSON Tokens that can be used for signed OAuth tokens: http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU - a different extension of JSON Tokens that can be used whenever the spec calls for an "assertion": http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc (When used in the assertion flow, this last token can also be used to do "2-legged" OAuth) A summary of the (scant) changes: - we spelled out what we mean by RSA-SHA256.* Ben Laurie *- can you double-check that that sounds good? - we decided on unpadded websafe-base64 throughout. - some changes to parameter names. - some small changes I might be forgetting now... As explained in my message to the previous thread, there is still no envelope in there to help with encrypted tokens (b/c we don't understand well enough what the envelopes for encrypted tokens would look like). One question: What's the deal with having the signature go first? If you can explain to me why that is a good idea, I'm happy to oblige. Cheers, Dirk & Marius.
- [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Naitik Shah
- Re: [OAUTH-WG] signatures, v2 Dick Hardt
- Re: [OAUTH-WG] signatures, v2 Torsten Lodderstedt
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Ben Laurie
- Re: [OAUTH-WG] signatures, v2 Nat Sakimura
- Re: [OAUTH-WG] signatures, v2 Greg Brail
- Re: [OAUTH-WG] signatures, v2 Greg Brail
- Re: [OAUTH-WG] signatures, v2 Torsten Lodderstedt
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz
- Re: [OAUTH-WG] signatures, v2 Dirk Balfanz