IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Brian Eaton <beaton@google.com> Wed, 02 December 2009 03:46 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B9983A67AE for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 19:46:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdEhCtlmYHCZ for <oauth@core3.amsl.com>; Tue, 1 Dec 2009 19:46:52 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 30DBD3A6774 for <oauth@ietf.org>; Tue, 1 Dec 2009 19:46:52 -0800 (PST)
Received: from spaceape9.eur.corp.google.com (spaceape9.eur.corp.google.com [172.28.16.143]) by smtp-out.google.com with ESMTP id nB23keG0024496 for <oauth@ietf.org>; Wed, 2 Dec 2009 03:46:41 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259725602; bh=2hQNrcrSW9Cig0ycPIl2KvkntNk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=UfxaQcfaifKrhJFfV7Ei5Q4T1EM/PLZQAqR7Gq+STV7XCJFrfhE9a7r4FEMKAnfcf 6YlsnfXEVmFBRZMd3DIEQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=Kbz0lKU3WiuawUmiqxMV0AQTsqGcbijZGxLGANTitT2dCRJ+R7W04pXTdnnqrFa1R geQTdK4MMJnKYAkJGrmVg==
Received: from pzk10 (pzk10.prod.google.com [10.243.19.138]) by spaceape9.eur.corp.google.com with ESMTP id nB23kQKE030731 for <oauth@ietf.org>; Tue, 1 Dec 2009 19:46:38 -0800
Received: by pzk10 with SMTP id 10so4125126pzk.19 for <oauth@ietf.org>; Tue, 01 Dec 2009 19:46:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.141.42.3 with SMTP id u3mr455787rvj.107.1259725597783; Tue, 01 Dec 2009 19:46:37 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <3D3C75174CB95F42AD6BCC56E5555B4501F19743@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343785209BBB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B15D7C2.2070901@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785209F78@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 01 Dec 2009 19:46:37 -0800
Message-ID: <daf5b9570912011946j600f8cbcl918af16fbbbc3206@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth@ietf.org" <oauth@ietf.org>, ext@core3.amsl.com
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 03:46:53 -0000

On Tue, Dec 1, 2009 at 7:08 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>> Getting a Class 1 cert from the likes of StartSSL is easy as pie these
>> days. IMHO there is no excuse for not deploying SSL if you care one whit
>> about security. The problem is that too many small-scale developers (and
>> big companies!) simply don't care.
>
> Don't care, don't need that much security, don't understand it, etc. Bottom line is that requiring SSL is certain to fork this work if not done right.

Note, however, that someone who can't get SSL working and still
deploys OAuth has basically no security against eavesdroppers or MITM
attacks, and certainly can't expect OAuth to provide it.  The issues
are in the token issuance phase: these organizations are sending user
passwords and session cookies in clear text!  OAuth is the least of
their security concerns,

(Wearing my security geek hat, I think it's pretty reasonable for some
people to refuse to deploy SSL.  It's a business choice.  Security is
about managing risk, and in some cases the cost of getting SSL working
just isn't worth it.  And I'm completely fine with those folks
deploying OAuth without SSL as well.  There's no sense in putting a
bullet proof door on a house made of straw.)

Cheers,
Brian

v2.23.0 | Report a Bug | By Email