Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
Skylar Woodward <skylar@kiva.org> Tue, 08 February 2011 07:43 UTC
Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0445E3A7047 for <oauth@core3.amsl.com>; Mon, 7 Feb 2011 23:43:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.224
X-Spam-Level:
X-Spam-Status: No, score=-2.224 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, J_CHICKENPOX_84=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qh4ISuk6S5U for <oauth@core3.amsl.com>; Mon, 7 Feb 2011 23:43:12 -0800 (PST)
Received: from na3sys010aog110.obsmtp.com (na3sys010aog110.obsmtp.com [74.125.245.88]) by core3.amsl.com (Postfix) with SMTP id 6A8A93A6CAF for <oauth@ietf.org>; Mon, 7 Feb 2011 23:43:11 -0800 (PST)
Received: from source ([74.125.82.49]) (using TLSv1) by na3sys010aob110.postini.com ([74.125.244.12]) with SMTP ID DSNKTVD0FBRt1iqQsEC8f8n1Wec8F9PucOM6@postini.com; Mon, 07 Feb 2011 23:43:18 PST
Received: by wwb17 with SMTP id 17so5813560wwb.6 for <oauth@ietf.org>; Mon, 07 Feb 2011 23:43:15 -0800 (PST)
Received: by 10.227.127.84 with SMTP id f20mr16846942wbs.160.1297150993950; Mon, 07 Feb 2011 23:43:13 -0800 (PST)
Received: from [10.0.1.4] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id x1sm4141221wbh.14.2011.02.07.23.43.10 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 07 Feb 2011 23:43:12 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A90BFC42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 08 Feb 2011 08:43:07 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2EFA9E76-1E3B-411A-852F-5640167A9AA4@kiva.org>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D61EBF@P3PW5EX1MB01.EX1.SECURESERVER.NET> <5A4C1B6B-7D51-4D12-A468-5A5991D72DCB@kiva.org> <90C41DD21FB7C64BB94121FBBC2E723445A90BFC42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2011 07:43:13 -0000
Here's a thought: signed_content="request,query,body" If not included, it defaults to "request,query". It's non-breaking (except for the implied removal of bodyhash), allows for either body or query content to be omitted from the signature, and looks less ugly than bodyhash=true. If you prefer, the value of this attribute could be one of a predefined string (request_query, request_query_body, request, etc.) rather than individual parsed elements. On Feb 7, 2011, at 6:26 PM, Eran Hammer-Lahav wrote: > Yeah... > > I struggled with that. There is no reason to include the body hash with the request other than to indicate a body hash is included in the normalized request string. It's just that an attribute like 'bodyhash=true' is so ugly... > > I'm still thinking about this. > > EHL > >> -----Original Message----- >> From: Skylar Woodward [mailto:skylar@kiva.org] >> Sent: Monday, February 07, 2011 9:25 AM >> To: Eran Hammer-Lahav; OAuth WG >> Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 >> >> On body-hash... >> >> Having completed a trial implementation, it seems redundant, and >> potentially problematic, to include the body-hash in the Authentication >> header. The danger is that implementors may neglect to recalculate the hash >> themselves, reusing the value (even if incorrect) provided by the client. Why >> not just require the provider to calculate this and validate it by comparing the >> final signature? This way it's clearer for everyone what the expectations are >> in validating the signature. >> >> I propose either a flag (eg, usebodyhash="1") or an algorithm >> (bodyhashalgorithm="sha1"). If this parameter was provided, the correct >> hash would be added to the base string for signing. If omitted (or set false?) >> then an empty string is used for base string element #4. >> >> >> On including parameters for signing... >> >> I'd retract my suggestion that we'd include parameter-hash in the header. >> Instead, I would suggest making parameters optional in calculating the >> signature using a flag as with bodyhash. Providers could require including >> parameters if so desired. Parameters could be included as currently defined, >> or with a hash method similar to entity-body (which I find both simpler and >> more congruent). >> >> Again, the goal in making query parameters optional is to allow providers to >> make signature calculation as simple as possible for clients (so much as it is in >> line with the security requirements of the provider) and avoid complexities in >> implementation such as those that tripped up OAuth 1. >> >> >> >> On Jan 22, 2011, at 2:09 AM, Eran Hammer-Lahav wrote: >> >>> http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 >>> >>> New version includes the following changes: >>> >>> o Added body-hash support. >>> o Updated OAuth 2.0 reference to -12 and added token type registration >> template. >>> o Removed error and error URI attributes (codes were just a duplication >> of the HTTP status codes). >>> >>> Feedback would be greatly appreciated. >>> >>> EHL >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Michael D Adams
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 William Mills
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Skylar Woodward
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav
- Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 Eran Hammer-Lahav