Re: [OAUTH-WG] OAuth 2.0: client_secret, state
Allen Tom <atom@yahoo-inc.com> Mon, 22 March 2010 23:22 UTC
Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4317E28C22F for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 16:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.68
X-Spam-Level:
X-Spam-Status: No, score=-15.68 tagged_above=-999 required=5 tests=[AWL=-1.070, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1AyfUgtsJ07 for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 16:22:32 -0700 (PDT)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by core3.amsl.com (Postfix) with ESMTP id D7D5928C230 for <oauth@ietf.org>; Mon, 22 Mar 2010 16:22:32 -0700 (PDT)
Received: from SNV-EXPF01.ds.corp.yahoo.com (snv-expf01.ds.corp.yahoo.com [207.126.227.250]) by mrout3.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id o2MNLT1K060013 for <oauth@ietf.org>; Mon, 22 Mar 2010 16:21:29 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=uHePY+ZGj7L4v5scjnd57cEqnQckI1Tsi3ViJjEFnBRw2FJjapFA5rbNEfg5jQkc
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXPF01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Mar 2010 16:21:29 -0700
Received: from 10.72.181.200 ([10.72.181.200]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.60]) with Microsoft Exchange Server HTTP-DAV ; Mon, 22 Mar 2010 23:20:53 +0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Mon, 22 Mar 2010 16:20:48 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: OAuth WG <oauth@ietf.org>
Message-ID: <C7CD4960.27E8C%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] OAuth 2.0: client_secret, state
Thread-Index: AcrJ6GygxK8934qxRD6n2IeTcvWg2gAJGKmwAAJfro8=
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11253230F19@WSMSG3153V.srv.dir.telstra.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 22 Mar 2010 23:21:29.0016 (UTC) FILETIME=[666F9380:01CACA16]
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 23:22:34 -0000
Hi All - Regarding the client secret - one of the design goals for OAuth-WRAP was to cleanly separate the AuthZ server from the Protected Resource. The Protected Resource should only have to know how to validate Access Tokens issued by its AuthZ server. The HMAC-SHA1 signature method defined in 4.2.1.1 of the Oauth 2.0 spec violates this principle because it requires the protected resource to have the client secret in order to validate the signature. Distributing the client secret to all Protected Resources can have negative security and performance implications. http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#compute_sig I recommend removing the client secret from the signature calculation, and instead using only the Access Token secret. Allen
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu