Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

Eric Sachs <esachs@google.com> Fri, 24 September 2010 01:27 UTC

Return-Path: <esachs@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F0393A68FA for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGpAyVqK1GWT for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:27:29 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 444723A6851 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:29 -0700 (PDT)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id o8O1RxvA029135 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:59 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285291679; bh=c49bnHTIT8dyl4V8x2AQeKXxj+E=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=n4WNIDnQdk4LrA2C6WPN4DSGF/Qj7x3ZJthyecds9pLnTUkq+iPVHY2y3F7XQrMFN 0w5z7Cj+VKOnQ23QiO79Q==
Received: from yxk30 (yxk30.prod.google.com [10.190.3.158]) by wpaz33.hot.corp.google.com with ESMTP id o8O1QxAx032319 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:58 -0700
Received: by yxk30 with SMTP id 30so330430yxk.16 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=wHpaJOBdFa0C+5Ah76A50sJY0CdTQvzJNK5MN3UTVNg=; b=B2xfJjFsAEiMsvVXTgcInC0PQEO+O6WHyzEd3hsYO+4vrA9k/6r+K5TEGeUjQ9RzfM oHrw+po4NoR5JNncEbAQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=eLOYcnaTtJEqAobe2lvV1W+A06d8K/qGmnieKv7p7ybST3mLz+E9PZoK6Bh/6V6pB5 VueEG6BC87Qtwsqpqu3w==
MIME-Version: 1.0
Received: by 10.150.12.3 with SMTP id 3mr3853420ybl.7.1285291678008; Thu, 23 Sep 2010 18:27:58 -0700 (PDT)
Received: by 10.150.199.16 with HTTP; Thu, 23 Sep 2010 18:27:57 -0700 (PDT)
In-Reply-To: <1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77@TK5EX14MBXC101.redmond.corp.microsoft.com>
References: <AANLkTinjjg1Fj5bVmtnngYqg1fFOLzUbrqSHZ9P-oHWq@mail.gmail.com> <C8C148D3.3AC59%eran@hueniverse.com> <1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77@TK5EX14MBXC101.redmond.corp.microsoft.com>
Date: Thu, 23 Sep 2010 18:27:57 -0700
Message-ID: <AANLkTinxyVE9pv0ATGdJcGVzH7jQN_X4SMbx0ugTrDBJ@mail.gmail.com>
From: Eric Sachs <esachs@google.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="000e0cd6a944e687230490f749f7"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 01:27:30 -0000

>> I believe that an OAuth 1.0a style signature
How about we start with exactly an OAuth 1.0a style signature?  It may be
tricky, but there are still client libraries and some web-services that
handle them.

Like Tony, I also have not heard requests for a new signature approach, but
one of the reasons is that there are already developers who are using OAuth2
& WRAP style approaches combined with OAuth1 signatures.  So why not simply
have a section in the core spec that mentions the option of using signatures
and gives OAuth1 as one of the possible approaches?

That avoids the potential concern of any large delay in the core spec to get
agreement on a new signature mechanism, but gives an option that can quickly
be used by developers, and provides a place to hook in other signature
schemes in the future.