Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
Eric Sachs <esachs@google.com> Fri, 24 September 2010 01:27 UTC
Return-Path: <esachs@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F0393A68FA for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGpAyVqK1GWT for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:27:29 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 444723A6851 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:29 -0700 (PDT)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id o8O1RxvA029135 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:59 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285291679; bh=c49bnHTIT8dyl4V8x2AQeKXxj+E=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=n4WNIDnQdk4LrA2C6WPN4DSGF/Qj7x3ZJthyecds9pLnTUkq+iPVHY2y3F7XQrMFN 0w5z7Cj+VKOnQ23QiO79Q==
Received: from yxk30 (yxk30.prod.google.com [10.190.3.158]) by wpaz33.hot.corp.google.com with ESMTP id o8O1QxAx032319 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:58 -0700
Received: by yxk30 with SMTP id 30so330430yxk.16 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=wHpaJOBdFa0C+5Ah76A50sJY0CdTQvzJNK5MN3UTVNg=; b=B2xfJjFsAEiMsvVXTgcInC0PQEO+O6WHyzEd3hsYO+4vrA9k/6r+K5TEGeUjQ9RzfM oHrw+po4NoR5JNncEbAQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=eLOYcnaTtJEqAobe2lvV1W+A06d8K/qGmnieKv7p7ybST3mLz+E9PZoK6Bh/6V6pB5 VueEG6BC87Qtwsqpqu3w==
MIME-Version: 1.0
Received: by 10.150.12.3 with SMTP id 3mr3853420ybl.7.1285291678008; Thu, 23 Sep 2010 18:27:58 -0700 (PDT)
Received: by 10.150.199.16 with HTTP; Thu, 23 Sep 2010 18:27:57 -0700 (PDT)
In-Reply-To: <1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77@TK5EX14MBXC101.redmond.corp.microsoft.com>
References: <AANLkTinjjg1Fj5bVmtnngYqg1fFOLzUbrqSHZ9P-oHWq@mail.gmail.com> <C8C148D3.3AC59%eran@hueniverse.com> <1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77@TK5EX14MBXC101.redmond.corp.microsoft.com>
Date: Thu, 23 Sep 2010 18:27:57 -0700
Message-ID: <AANLkTinxyVE9pv0ATGdJcGVzH7jQN_X4SMbx0ugTrDBJ@mail.gmail.com>
From: Eric Sachs <esachs@google.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="000e0cd6a944e687230490f749f7"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 01:27:30 -0000
>> I believe that an OAuth 1.0a style signature How about we start with exactly an OAuth 1.0a style signature? It may be tricky, but there are still client libraries and some web-services that handle them. Like Tony, I also have not heard requests for a new signature approach, but one of the reasons is that there are already developers who are using OAuth2 & WRAP style approaches combined with OAuth1 signatures. So why not simply have a section in the core spec that mentions the option of using signatures and gives OAuth1 as one of the possible approaches? That avoids the potential concern of any large delay in the core spec to get agreement on a new signature mechanism, but gives an option that can quickly be used by developers, and provides a place to hook in other signature schemes in the future.
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes