IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 02 December 2009 06:04 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9189A3A6825 for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 22:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vo-GTH9VrCxP for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 22:04:23 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 8CBB33A67F5 for <oauth@ietf.org>; Tue, 1 Dec 2009 22:04:23 -0800 (PST)
Received: (qmail 2008 invoked from network); 2 Dec 2009 06:04:15 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 2 Dec 2009 06:04:15 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 1 Dec 2009 23:04:15 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <Dick.Hardt@microsoft.com>, Brian Eaton <beaton@google.com>
Date: Tue, 01 Dec 2009 23:04:23 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5EuVfSAgAED2ACAAt81AIAAASmAgABrE4CAAH1JAIABBIUAgACcJwCAAAx/gIAa2A2A//97K4CAAA8m8IACiKgAgAAC9YCAAAqUgIAAItEA//9802A=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com> <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com>
In-Reply-To: <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ext@core3.amsl.com>" <ext@core3.amsl.com>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 06:04:24 -0000

<smiling but not joking>

I would like to make an official request to the chair for a consensus call on recommending SSL but keeping it optional in the various OAuth components. We can figure out how strong to make the language (or how scary), and we may make it mandatory in some flows/profiles, but I would like to be done with this discussion (for the n time).

If someone will want to raise new arguments, well, this is the IETF so who can stop them? :-)

EHL

> -----Original Message-----
> From: Dick Hardt [mailto:Dick.Hardt@microsoft.com]
> Sent: Tuesday, December 01, 2009 9:51 PM
> To: Brian Eaton
> Cc: Eran Hammer-Lahav; Peter Saint-Andre; <ext@core3.amsl.com>;
> Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org
> Subject: Re: [OAUTH-WG] why are we signing?
> 
> 
> On 2009-12-01, at 5:46 PM, Brian Eaton wrote:
> 
> > On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> >>> Getting a Class 1 cert from the likes of StartSSL is easy as pie
> >>> these days. IMHO there is no excuse for not deploying SSL if you
> >>> care one whit about security. The problem is that too many
> >>> small-scale developers (and big companies!) simply don't care.
> >>
> >> Don't care, don't need that much security, don't understand it, etc.
> Bottom line is that requiring SSL is certain to fork this work if not done right.
> >
> > Note, however, that someone who can't get SSL working and still
> > deploys OAuth has basically no security against eavesdroppers or MITM
> > attacks, and certainly can't expect OAuth to provide it.  The issues
> > are in the token issuance phase: these organizations are sending user
> > passwords and session cookies in clear text!  OAuth is the least of
> > their security concerns,
> 
> 
> If the cost of SSL outweighs the risk of a security breach, then why would a
> developer deploying OAuth choose to sign their messages rather then use
> the simpler bearer token?
> 
> Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I think
> that is a good question. Perhaps it should be RECOMMENDED, and
> deployments can make their own benefit analysis.
> 
> -- Dick

v2.23.0 | Report a Bug | By Email