Re: [OAUTH-WG] why are we signing?
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 09 November 2009 09:16 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31EC43A6885 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 01:16:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.594
X-Spam-Level:
X-Spam-Status: No, score=-1.594 tagged_above=-999 required=5 tests=[AWL=-0.078, BAYES_00=-2.599, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCmK3y1W2rzr for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 01:16:45 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id ACD2B3A63EC for <oauth@ietf.org>; Mon, 9 Nov 2009 01:16:44 -0800 (PST)
Received: (qmail invoked by alias); 09 Nov 2009 09:17:09 -0000
Received: from host-18-117.meeting.ietf.org (EHLO 4FIL42860) [133.93.18.117] by mail.gmx.net (mp039) with SMTP; 09 Nov 2009 10:17:09 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+coyknuJicn9+G561caEk1/umzBxRXE5oL4dCqpf ZYoGW/dfSPpynY
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: 'Brian Eaton' <beaton@google.com>, oauth@ietf.org
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
Date: Mon, 09 Nov 2009 18:20:22 +0900
Message-ID: <058101ca611d$e02be780$4a3e000a@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Acpg+fEBU+BwEhqXSYuENARo7UE3OwAGYHNg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.57
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 09:16:46 -0000
Hi Brian, There is no doubt that one can sign different parts of the message to show that you know the key and to bind the token to the request itself. You can find examples of signing different practices in other protocols. For example, DKIM allows you to vary the amount of elements being signed (see h-parameter on page 20 of http://www.ietf.org/rfc/rfc4871.txt). SIP Identity, http://www.rfc-editor.org/rfc/rfc4474.txt, signs a fixed number of fields (although more than the current Oauth spec). There is most likely no right answer since it depends a bit on the threat model and the usage scenarios. Here is an example. The signature mechanism prevents replays of the token. The HTTP case and the SIP/XMPP communication model are different since with XMPP/SIP there is also the risk that intermediaries see the token passing by and misuse it. The usage of Oauth has been suggested also for XMPP (see http://xmpp.org/extensions/xep-0235.html) and for SIP (see http://tools.ietf.org/html/draft-beck-oauth-sip-eval-00). Ciao Hannes >Hey folks - > >What are the use cases for cryptography in OAuth? Why are we >signing requests? And how much of each request do we need to >sign in order to be useful? > >As I see it, we have roughly the following menu of choices: > >1) No signatures. > Just use bearer tokens. Use transport layer encryption to >keep those bearer tokens from leaking. > >2) Signed tokens. > We could just sign a timestamp, rather than entire messages. > >3) Partially signed messages. > We could sign just the request URL, or the request URL >plus some parameters. > >4) Fully signed messages. > Sign as much of the HTTP request as possible, down to the >bits of the HTTP entity body. > >My guess is we need at least two out of those four choices >(one with bearer tokens, a la OAuth 1.0 plaintext) and another >with cryptography. But I'm not sure whether we need to sign >entire messages, or if we can get away with something simpler >and still have reasonable security. > >Cheers, >Brian >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)