IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Richard Barnes <rbarnes@bbn.com> Wed, 02 December 2009 19:39 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE2453A6AEB for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 11:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCXxlKqTf4bF for <oauth@core3.amsl.com>; Wed, 2 Dec 2009 11:39:51 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 474563A6403 for <oauth@ietf.org>; Wed, 2 Dec 2009 11:39:51 -0800 (PST)
Received: from [128.89.253.85] (helo=[10.1.2.164]) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.63) (envelope-from <rbarnes@bbn.com>) id 1NFv37-0006Iy-Cf; Wed, 02 Dec 2009 14:39:42 -0500
Message-Id: <AA88D883-3D4C-4213-B9B5-0B9720E27190@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: John Panzer <jpanzer@google.com>
In-Reply-To: <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-3-155222020"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 02 Dec 2009 09:39:39 -1000
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com> <EDFFBBF1-7FBB-4F4E-A0D8-B92C9036B33C@microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343785209F94@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1637EB.5080502@cs.tcd.ie> <4B16855C.90209@oracle.com> <cb5f7a380912020949u390d19f4x2e2f5c90722ba6c8@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
Cc: "oauth@ietf.org" <oauth@ietf.org>, Prateek Mishra <prateek.mishra@oracle.com>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 19:39:52 -0000

Right.  Generally the expectation is that the Security Considerations  
section will discuss what the threats are against the protocol in  
question, how security features mitigate those threats, and what the  
risks are of not using those features.  At least that's what I look  
for when I do a SECDIR review :)

The authoritative guide is RFC 3552:
<http://tools.ietf.org/html/rfc3552>

--Richard



On Dec 2, 2009, at 7:49 AM, John Panzer wrote:

> It requires a security considerations section :).
> --
> John Panzer / Google
> jpanzer@google.com / abstractioneer.org / @jpanzer
>
>
>
> On Wed, Dec 2, 2009 at 7:18 AM, Prateek Mishra <prateek.mishra@oracle.com 
> > wrote:
> Stephen,
>
> +1 from our side.
>
> Here is a newbie question: does the IETF process require a  
> discussion of threats and countermeasures
> as part of the specification? - explaining the specific situations  
> that rely on SSL or signing and what the consequences
> of "turning it off" might be...
>
> - prateek
>
> I think we'll need an analysis of where we end up wanting TLS
> for the protocols we produce. I wouldn't expect any big
> surprises, but right now I don't think we can be sure since
> things seems to be in flux to some extent.
>
> Then, I'd be for saying that TLS MUST be used for those operations.
> However, I can well believe that there may be some niches where
> using TLS isn't easy, so I could live with something like: it MUST
> be possible to use TLS, and that deployments SHOULD use it, with
> guidance as to the type of scenario where we think TLS really
> has to be turned on, and maybe text about why sometimes people
> can't do that.
>
> So I don't think we can finish this discussion at this stage.
>
> S.
>
> Eran Hammer-Lahav wrote:
>
> <smiling but not joking>
>
> I would like to make an official request to the chair for a  
> consensus call on recommending SSL but keeping it optional in the  
> various OAuth components. We can figure out how strong to make the  
> language (or how scary), and we may make it mandatory in some flows/ 
> profiles, but I would like to be done with this discussion (for the  
> n time).
>
> If someone will want to raise new arguments, well, this is the IETF  
> so who can stop them? :-)
>
> EHL
>
>
> -----Original Message-----
> From: Dick Hardt [mailto:Dick.Hardt@microsoft.com]
> Sent: Tuesday, December 01, 2009 9:51 PM
> To: Brian Eaton
> Cc: Eran Hammer-Lahav; Peter Saint-Andre; <ext@core3.amsl.com>;
> Tschofenig, Hannes (NSN - FI/Espoo); oauth@ietf.org
> Subject: Re: [OAUTH-WG] why are we signing?
>
>
> On 2009-12-01, at 5:46 PM, Brian Eaton wrote:
>
>
> On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav
>
> <eran@hueniverse.com> wrote:
>
> Getting a Class 1 cert from the likes of StartSSL is easy as pie
> these days. IMHO there is no excuse for not deploying SSL if you
> care one whit about security. The problem is that too many
> small-scale developers (and big companies!) simply don't care.
>
> Don't care, don't need that much security, don't understand it, etc.
>
> Bottom line is that requiring SSL is certain to fork this work if  
> not done right.
>
> Note, however, that someone who can't get SSL working and still
> deploys OAuth has basically no security against eavesdroppers or MITM
> attacks, and certainly can't expect OAuth to provide it.  The issues
> are in the token issuance phase: these organizations are sending user
> passwords and session cookies in clear text!  OAuth is the least of
> their security concerns,
>
> If the cost of SSL outweighs the risk of a security breach, then why  
> would a
> developer deploying OAuth choose to sign their messages rather then  
> use
> the simpler bearer token?
>
> Peter Saint-Andre questioned why SSL was required in OAuth WRAP. I  
> think
> that is a good question. Perhaps it should be RECOMMENDED, and
> deployments can make their own benefit analysis.
>
> -- Dick
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email