Re: [OAUTH-WG] JSON Payload signature (re: draft-richer-oauth-signed-http-request-01.txt)
"Richer, Justin P." <jricher@mitre.org> Wed, 07 May 2014 00:19 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010DA1A071A for <oauth@ietfa.amsl.com>; Tue, 6 May 2014 17:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.85
X-Spam-Level:
X-Spam-Status: No, score=-4.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTsZ14N6MMt4 for <oauth@ietfa.amsl.com>; Tue, 6 May 2014 17:19:44 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6631A06E1 for <oauth@ietf.org>; Tue, 6 May 2014 17:19:44 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 06E211F0834; Tue, 6 May 2014 20:19:40 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id DA79C1F07CF; Tue, 6 May 2014 20:19:39 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.73]) by IMCCAS01.MITRE.ORG ([129.83.29.68]) with mapi id 14.03.0174.001; Tue, 6 May 2014 20:19:39 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] JSON Payload signature (re: draft-richer-oauth-signed-http-request-01.txt)
Thread-Index: AQHPaX4lWan1JgF0lkWdgI0FoPC0l5s0hCYA
Date: Wed, 07 May 2014 00:19:39 +0000
Message-ID: <97A10407-119B-4443-99C4-6AEE1DDF85A0@mitre.org>
References: <172266CC-2A8C-4724-9D89-F79D290B1E48@oracle.com>
In-Reply-To: <172266CC-2A8C-4724-9D89-F79D290B1E48@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.11.254]
Content-Type: multipart/alternative; boundary="_000_97A10407119B444399C46AEE1DDF85A0mitreorg_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tVU01YFBa7-JztH08D0zwedgtzc
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JSON Payload signature (re: draft-richer-oauth-signed-http-request-01.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 00:19:46 -0000
Seems like a reasonable extension to me, in that it shouldn't break things, really. Is the suggestion to define a particular member for "other stuff" or to state that you're allowed to add other stuff inside the payload object? But on the other hand, I'm wondering why other parts of the protocol (like hashing the HTTP body) wouldn't cover it? Or why you wouldn't want to just use a JOSE container for your entire protocol? Basically, within a given protocol you could easily put whatever additional stuff you like inside the protected JOSE payload without disrupting things, but I don't see the use case why you'd want to do that and not something else. -- Justin On May 6, 2014, at 6:54 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote: Justin, Any discussion on including JSON payloads in the signed requests? Had an interesting conversation with Bill and I think this would be a useful optional feature. Phil @independentid www.independentid.com<http://www.independentid.com/> phil.hunt@oracle.com<mailto:phil.hunt@oracle.com> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] JSON Payload signature (re: draft-rich… Phil Hunt
- Re: [OAUTH-WG] JSON Payload signature (re: draft-… Richer, Justin P.
- Re: [OAUTH-WG] JSON Payload signature (re: draft-… Phil Hunt