IETF Logo Mail Archive

[OAUTH-WG] OAuth Signature

Nat Sakimura <sakimura@gmail.com> Tue, 27 July 2010 07:34 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD5543A69E2 for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 00:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tUID7-L4MZ5q for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 00:34:03 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 33A143A69F9 for <oauth@ietf.org>; Tue, 27 Jul 2010 00:34:03 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3772617iwn.31 for <oauth@ietf.org>; Tue, 27 Jul 2010 00:34:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=3eNaTjxiqt4zpfwBsMNUxme31mckzzB/i3dR36ehuAs=; b=jc1VBS9iFQppVsGk8uqLq2W4Xcdc+04nVHvVDSgsAv43+O9LUC84CXbUm2V/sWAt4i hCyEkmPRsUTOrOzHLLk/+Ki/1xlmz4J8L/SbPgDjz4mUIRZRLYHEHFE8IIgXc6Mnt0CA JL29arUiqbBLGvCeOT4swr27KQg0n8BVE29Ks=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=WyLKefPAhm3SZp7Ow1xp+YA5I4uw+Ft8Ls3htdD1YzpYrv6As5s/SOG5F44WUMiqf7 LclP9UZlypxQXTRSi6MQMpoiQ8rdbeIY80BedYnBDk5vV4h/bAL9AEZReFA9oFF2/HOC XTbkL1mx/brreuuJ9/C0IzpWoppE7ft+dEKMc=
MIME-Version: 1.0
Received: by 10.231.155.206 with SMTP id t14mr9869222ibw.34.1280216064815; Tue, 27 Jul 2010 00:34:24 -0700 (PDT)
Received: by 10.231.158.67 with HTTP; Tue, 27 Jul 2010 00:34:24 -0700 (PDT)
Date: Tue, 27 Jul 2010 16:34:24 +0900
Message-ID: <AANLkTi=XYFSVeNxA43k+zYwt6yoGDtioa3kR47eaNYB+@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Dirk Balfanz <balfanz@google.com>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] OAuth Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 07:34:05 -0000

I have a fundamental question.

While separating signature and payload by a dot "." seems ok,
I still have not the answer for the question "why not make everything
into JSON and base64url it?".

i.e., Right now, you are proposing:

base64url_encode(JSON(payload,envelope)).base64url_encode(signature)

Why not

base64url_encode(JSON(payload,envelope,signature)

It probably is less hassle in terms of coding. (It is true that some
parameters gets base64url encoded twice but

BTW, some of the envelope parameters such as alg needs to be signed as
well to thwart the algorithm replacing attack.

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en

v2.34.0 | Report a Bug | By Email | System Status