Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision
Marius Scurtescu <mscurtescu@google.com> Mon, 27 September 2010 18:14 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B7393A6D2F for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 11:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.977
X-Spam-Level:
X-Spam-Status: No, score=-103.977 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wq9cK4doWMmJ for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 11:14:08 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 585923A6C62 for <oauth@ietf.org>; Mon, 27 Sep 2010 11:14:07 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id o8RIEjoI023948 for <oauth@ietf.org>; Mon, 27 Sep 2010 11:14:45 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285611285; bh=qyQsUhitFWZxagBBmosorP1FfiA=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=ag2gnl+Fm8alx6mnwPwIUH/YFma+Wa6wrjfueibFZz8giPsATS4/zll7wwW7AYtT4 qhwOz9SfD517dm16kS20g==
Received: from gxk8 (gxk8.prod.google.com [10.202.11.8]) by wpaz17.hot.corp.google.com with ESMTP id o8RIET17024856 for <oauth@ietf.org>; Mon, 27 Sep 2010 11:14:44 -0700
Received: by gxk8 with SMTP id 8so2555601gxk.41 for <oauth@ietf.org>; Mon, 27 Sep 2010 11:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=860saFzGT1GyvWkmbNDhBKZlnin48cmxI+sUnihupa8=; b=DuAVqtnndtYU7KZ7xJKv66hZYjbiik44GxJCL87Y6E+LX9r6jBrbiSW4XpzLq24mJF o7SmlgA4itHX3bhdbomg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=riFdeK1sbYzfy5jwucn2nQ7mgIdfrGSuHM/vn1EgNFGiiEe6Ut9ZZtK9g4KJ1Arf+X 0xsD6F5JvfBnW+J7wsZg==
Received: by 10.100.232.7 with SMTP id e7mr6097027anh.133.1285611283753; Mon, 27 Sep 2010 11:14:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.187.10 with HTTP; Mon, 27 Sep 2010 11:14:23 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394314AA07A6@TK5EX14MBXC207.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343D45D80139@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B168042967394314AA07A6@TK5EX14MBXC207.redmond.corp.microsoft.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 27 Sep 2010 11:14:23 -0700
Message-ID: <AANLkTikOz3fb8VQ63Z7y1--fSXMRJvsJGi6o-XAEZN3W@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 18:14:18 -0000
I also think we should focus on finishing OAuth 2 core and deal with signatures in a separate spec. Not sure what are optional 1.0a signatures really buying. Client developers given an option in most cases will go with bearer tokens. If server developers want to enforce signatures, or provide the option, they can always implement OAuth 1.0a (for the time being). Is that much worse than enforcing OAuth 2 with 1.0a signatures? The only other argument I am aware of is that IETF will not approve OAuth 2 core if there are no signatures in it. Is this a guess? How come this was not an issue until recently? Marius On Mon, Sep 27, 2010 at 9:36 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Since you were asking for votes earlier, I’ll add a -1. I believe the > industry would be better served by approving a draft soon without > signatures, and then working on signatures separately. > > > > -- Mike > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > Eran Hammer-Lahav > Sent: Sunday, September 26, 2010 11:44 PM > To: OAuth WG (oauth@ietf.org) > Subject: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision > > > > Building on John Panzer’s proposal, I would like to ask if people have > strong objections to the following: > > > > - Add the 1.0a RFC language for HMAC-SHA-1 signatures to the core > specification in -11 > > - Discuss the signature language on the list and improve both prose and > signature base string construction > > - Apply improvements to -12 > > > > Keeping the 1.0a signature in the core specification makes sense and builds > on existing experience and deployment. If we can reach quick consensus on > some improvements, great. If not, we satisfy the need of many here to offer > a simple alternative to bearer tokens, without having to reach consensus on > a new signature algorithm suitable for core inclusion. > > > > --- > > > > I have seen nothing to suggest that this working group is going to reach > consensus on a single signature algorithm worthy of core inclusion. I agree > with John that at least the 1.0a algorithm is well understood and already > deployed. I can live with it used without changes, which will also allow > reusing existing code with 2.0. I think we can improve it by making small > changes, but have better things to do with my time than spend the next few > months arguing over it. > > > > By including the 1.0a text in -11, we will have a feature complete > specification that I hope many people here can live with if it doesn’t > change (which looks more likely). > > > > My question is, who here has strong objections to this, and cannot live with > the core specification including the 1.0a HMAC-SHA1 algorithm? > > > > EHL > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Proposal: OAuth 1.0 signature in core … Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Dick Hardt
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Dick Hardt
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Mike Jones
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Marius Scurtescu
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Anthony Nadalin
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Lukas Rosenstock
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Anthony Nadalin
- Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in c… Eran Hammer-Lahav