IETF Logo Mail Archive

Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 24 September 2010 02:51 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 766D23A6851 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D78bcS7gY+r8 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 19:50:57 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 1840F3A69B0 for <oauth@ietf.org>; Thu, 23 Sep 2010 19:50:56 -0700 (PDT)
Received: (qmail 21290 invoked from network); 24 Sep 2010 02:51:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 24 Sep 2010 02:51:25 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 23 Sep 2010 19:51:25 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Richard Barnes <rbarnes@bbn.com>, Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 23 Sep 2010 19:51:19 -0700
Thread-Topic: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
Thread-Index: ActbkZJn77FpKoBfSamWka10xffdagAAcqq4
Message-ID: <C8C16037.3AC75%eran@hueniverse.com>
In-Reply-To: <825F49AC-053F-4864-9FBF-CAAA17E141A1@bbn.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8C160373AC75eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 02:51:22 -0000

Thanks Richard.

FWIW, RFC 5849 was stuck in IESG discuss until I the language regarding the use of HTTPS with plaintext secrets was changed from SHOULD to MUST. Before the change, the security consideration section clearly highlighted the danger in not using HTTPS. OAuth 2.0 adds support for short-lived tokens which addresses *some* of these concerns, but completely lacks any requirements for issuing short-lived bearer tokens, or provides any guidance on what short-lived is.

I am happy to include the signature scheme from 1.0a as-is, but I think we can easily simplify it, as draft -05 demonstrated using less than 4 pages. It can be made even simpler.

I think draft -05 went too far in terms of additional parameters for requesting tokens with secrets. Since the core spec lacks any form of discovery, I think servers should simply issue whatever token they deem appropriate to the client (bearer, with secret, etc.). Other extensions can define parameters to allow the client to ask, and the server to advertise whaich schemes are supported.

My approach is for the server to issue a token with two additional parameters: signature algorithm and secret. Based on that, the client will send requests with a few additional parameters (nonce, timestamp, signature - maybe combined into one).

If it wasn't clear, the reason why I am back at fighting for this after taking a break for a few months, is based on the recent positive experience from the Twitter migration. To me, it completely voids the arguments that normalization on the client side is too hard.

EHL


On 9/23/10 7:38 PM, "Richard Barnes" <rbarnes@bbn.com> wrote:

I also agree with the observation about consensus being based on individual voices.

I don't think it's accurate to say that signatures are a generic security mechanism.  As I would think we learned from OAuth 1.0[a], it can actually be pretty subtle to define how signatures are used in a given context.

I doubt that a spec that only includes a "bearer token" model will not have enough of a security story to get past SECDIR and IESG review, especially without some careful thinking about when TLS is required and how it is negotiated (for example, you may need something like HSTS [1]).

On the other hand, it seems like a sensible compromise approach to re-use the signature scheme from OAuth 1.0a.  If there is interest in some other type of signing scheme, then of course the cost of this approach is having some sort of versioning / negotiation for signature algorithms.  But this may already be necessary to distinguish between signed requests and bearer-token requests.

--Richard

[1] <http://tools.ietf.org/html/draft-hodges-strict-transport-sec>




On Sep 23, 2010, at 9:30 PM, Dick Hardt wrote:

I agree with your point that consensus is based on individual voices.

I agree with Eric's points that signatures are a generic security mechanism and that signatures should be in a separate spec.

-- Dick


On 2010-09-23, at 6:11 PM, Eran Hammer-Lahav wrote:

It is pretty clear from the recent public response that a core specification without signatures is going to be viewed as weak and insecure. This has been my position for over a year, and if it wasn't clear, I am going to continue expressing it.

 We have enough interest to get a basic signature support in the core specification, one that is not driven by enterprise use cases, complex identity solutions, or large distributed systems. Given the recent Twitter migration to OAuth 1.0a proved that with a big enough carrot (or stick, depending on your view), developers figure it out. I believe that an OAuth 1.0a style signature can be easily developed and added to the core specification as an optional feature.

 This is not new. This was agreed upon at the Anaheim meeting. I took the signature language out of the draft in order to focus the discussion on the other components. Now that -10 is pretty solid (normative language-wise), it is time to bring it back in.

 Draft -11 will include a signature proposal, even if that means a short delay.

 The arguments about delaying the core spec are meritless, given that a growing number of companies are releasing OAuth 2.0 APIs using the latest stable draft. We can easily do a WGLC for the current stable components, and add signatures without changing those. This working group does not make technical and architectural decisions based on the timeline needs of any company. We do what is best for the web and we take as much time as necessary.

 As an aside, while companies can certainly express their corporate position on matters, this is a working group of individuals, and consensus is based solely on individual voices.

 EHL






 On 9/23/10 5:30 PM, "Eric Sachs" <esachs@google.com <x-msg://483/esachs@google.com> > wrote:


Google wanted to re-state our long standing opinions on HTTP signature mechanisms in the OAuth2 spec.  The short version is that standards for signing parts of an HTTP request have value in use-cases other than OAuth2, and thus they should be defined outside the spec, and just referenced from the spec similar to how we reference other Internet security building blocks like SSL.  Those signature standards are likely to in turn reference optional mechanisms for key rotation and discovery, as well as reference different crypto schemes like HMAC or RSA.

 There are already people in the identity community working on specs that are related to OAuth2, but which have value in other use-cases.  For example, there are people working on defining standards around token formats, signing blobs of different types (such as a token and/or HTTP request), key discovery/rotation, and consumer-key namespaces across vendors.  Dirk Balfanz from Google recently sent out updated drafts of some of those specs, and they also leverage specs that John Panzer from Google has worked on for Magic Signatures, as well as input from people in the community who are not at Google.

 However even though Google is working on those specs, we still believe it is a mistake to delay the OAuth2 core spec standard to wait on broad agreement for a "signature proposal," just as it would be a mistake to delay the OAuth2 core spec to wait on the standards efforts around token formats, token signing, key discovery/rotation, consumer-key naming, etc.



 _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email