IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.0: client_secret, state

Allen Tom <atom@yahoo-inc.com> Mon, 22 March 2010 23:22 UTC

Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4317E28C22F for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 16:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.68
X-Spam-Level:
X-Spam-Status: No, score=-15.68 tagged_above=-999 required=5 tests=[AWL=-1.070, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1AyfUgtsJ07 for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 16:22:32 -0700 (PDT)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by core3.amsl.com (Postfix) with ESMTP id D7D5928C230 for <oauth@ietf.org>; Mon, 22 Mar 2010 16:22:32 -0700 (PDT)
Received: from SNV-EXPF01.ds.corp.yahoo.com (snv-expf01.ds.corp.yahoo.com [207.126.227.250]) by mrout3.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id o2MNLT1K060013 for <oauth@ietf.org>; Mon, 22 Mar 2010 16:21:29 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=uHePY+ZGj7L4v5scjnd57cEqnQckI1Tsi3ViJjEFnBRw2FJjapFA5rbNEfg5jQkc
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXPF01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Mar 2010 16:21:29 -0700
Received: from 10.72.181.200 ([10.72.181.200]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.60]) with Microsoft Exchange Server HTTP-DAV ; Mon, 22 Mar 2010 23:20:53 +0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Mon, 22 Mar 2010 16:20:48 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: OAuth WG <oauth@ietf.org>
Message-ID: <C7CD4960.27E8C%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] OAuth 2.0: client_secret, state
Thread-Index: AcrJ6GygxK8934qxRD6n2IeTcvWg2gAJGKmwAAJfro8=
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11253230F19@WSMSG3153V.srv.dir.telstra.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 22 Mar 2010 23:21:29.0016 (UTC) FILETIME=[666F9380:01CACA16]
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 23:22:34 -0000

Hi All -

Regarding the client secret - one of the design goals for OAuth-WRAP was to
cleanly separate the AuthZ server from the Protected Resource. The Protected
Resource should only have to know how to validate Access Tokens issued by
its AuthZ server.

The HMAC-SHA1 signature method defined in 4.2.1.1 of the Oauth 2.0 spec
violates this principle because it requires the protected resource to have
the client secret in order to validate the signature. Distributing the
client secret to all Protected Resources can have negative security and
performance implications.

http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#compute_sig

I recommend removing the client secret from the signature calculation, and
instead using only the Access Token secret.

Allen

v2.23.0 | Report a Bug | By Email