IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 09 November 2009 09:16 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31EC43A6885 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 01:16:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.594
X-Spam-Level:
X-Spam-Status: No, score=-1.594 tagged_above=-999 required=5 tests=[AWL=-0.078, BAYES_00=-2.599, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCmK3y1W2rzr for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 01:16:45 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id ACD2B3A63EC for <oauth@ietf.org>; Mon, 9 Nov 2009 01:16:44 -0800 (PST)
Received: (qmail invoked by alias); 09 Nov 2009 09:17:09 -0000
Received: from host-18-117.meeting.ietf.org (EHLO 4FIL42860) [133.93.18.117] by mail.gmx.net (mp039) with SMTP; 09 Nov 2009 10:17:09 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+coyknuJicn9+G561caEk1/umzBxRXE5oL4dCqpf ZYoGW/dfSPpynY
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Brian Eaton' <beaton@google.com>, oauth@ietf.org
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
Date: Mon, 09 Nov 2009 18:20:22 +0900
Message-ID: <058101ca611d$e02be780$4a3e000a@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acpg+fEBU+BwEhqXSYuENARo7UE3OwAGYHNg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.57
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 09:16:46 -0000

Hi Brian, 

There is no doubt that one can sign different parts of the message to show
that you know the key and to bind the token to the request itself.

You can find examples of signing different practices in other protocols. For
example, DKIM allows you to vary the amount of elements being signed (see
h-parameter on page 20 of http://www.ietf.org/rfc/rfc4871.txt). SIP
Identity, http://www.rfc-editor.org/rfc/rfc4474.txt, signs a fixed number of
fields (although more than the current Oauth spec). 

There is most likely no right answer since it depends a bit on the threat
model and the usage scenarios. Here is an example. The signature mechanism
prevents replays of the token. The HTTP case and the SIP/XMPP communication
model are different since with XMPP/SIP there is also the risk that
intermediaries see the token passing by and misuse it. The usage of Oauth
has been suggested also for XMPP (see
http://xmpp.org/extensions/xep-0235.html) and for SIP (see
http://tools.ietf.org/html/draft-beck-oauth-sip-eval-00). 

Ciao
Hannes

>Hey folks -
>
>What are the use cases for cryptography in OAuth?  Why are we 
>signing requests?  And how much of each request do we need to 
>sign in order to be useful?
>
>As I see it, we have roughly the following menu of choices:
>
>1) No signatures.
>    Just use bearer tokens.  Use transport layer encryption to 
>keep those bearer tokens from leaking.
>
>2) Signed tokens.
>    We could just sign a timestamp, rather than entire messages.
>
>3) Partially signed messages.
>    We could sign just the request URL, or the request URL 
>plus some parameters.
>
>4) Fully signed messages.
>     Sign as much of the HTTP request as possible, down to the 
>bits of the HTTP entity body.
>
>My guess is we need at least two out of those four choices 
>(one with bearer tokens, a la OAuth 1.0 plaintext) and another 
>with cryptography.  But I'm not sure whether we need to sign 
>entire messages, or if we can get away with something simpler 
>and still have reasonable security.
>
>Cheers,
>Brian
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email