Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
Anthony Nadalin <tonynad@microsoft.com> Fri, 24 September 2010 01:19 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDE003A68F1 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.201
X-Spam-Level:
X-Spam-Status: No, score=-10.201 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mY7jnFXVGX-f for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 18:18:54 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id 6D4233A69B1 for <oauth@ietf.org>; Thu, 23 Sep 2010 18:18:54 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 23 Sep 2010 18:19:24 -0700
Received: from TK5EX14MBXC101.redmond.corp.microsoft.com ([169.254.1.200]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.01.0218.012; Thu, 23 Sep 2010 18:19:24 -0700
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Eric Sachs <esachs@google.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
Thread-Index: AQHLW3/ADVL0CKGC8EKUkUPu7YYsPpMgyTGA//+Lq3A=
Date: Fri, 24 Sep 2010 01:19:24 +0000
Message-ID: <1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77@TK5EX14MBXC101.redmond.corp.microsoft.com>
References: <AANLkTinjjg1Fj5bVmtnngYqg1fFOLzUbrqSHZ9P-oHWq@mail.gmail.com> <C8C148D3.3AC59%eran@hueniverse.com>
In-Reply-To: <C8C148D3.3AC59%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.123.12]
Content-Type: multipart/alternative; boundary="_000_1990A18DEA6E97429CFD1B4D2C5DA7E70BEB77TK5EX14MBXC101red_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 01:19:01 -0000
I have not seen the support to bring signature support back into core, have not seen the public response either, all I have seen is you raising this as an issue. We should keep the original agreement to move signatures out of core, there is enough activity on signatures that we are confident that it will proceed as a separate item. From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, September 23, 2010 6:12 PM To: Eric Sachs; OAuth WG Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec It is pretty clear from the recent public response that a core specification without signatures is going to be viewed as weak and insecure. This has been my position for over a year, and if it wasn't clear, I am going to continue expressing it. We have enough interest to get a basic signature support in the core specification, one that is not driven by enterprise use cases, complex identity solutions, or large distributed systems. Given the recent Twitter migration to OAuth 1.0a proved that with a big enough carrot (or stick, depending on your view), developers figure it out. I believe that an OAuth 1.0a style signature can be easily developed and added to the core specification as an optional feature. This is not new. This was agreed upon at the Anaheim meeting. I took the signature language out of the draft in order to focus the discussion on the other components. Now that -10 is pretty solid (normative language-wise), it is time to bring it back in. Draft -11 will include a signature proposal, even if that means a short delay. The arguments about delaying the core spec are meritless, given that a growing number of companies are releasing OAuth 2.0 APIs using the latest stable draft. We can easily do a WGLC for the current stable components, and add signatures without changing those. This working group does not make technical and architectural decisions based on the timeline needs of any company. We do what is best for the web and we take as much time as necessary. As an aside, while companies can certainly express their corporate position on matters, this is a working group of individuals, and consensus is based solely on individual voices. EHL On 9/23/10 5:30 PM, "Eric Sachs" <esachs@google.com> wrote: Google wanted to re-state our long standing opinions on HTTP signature mechanisms in the OAuth2 spec. The short version is that standards for signing parts of an HTTP request have value in use-cases other than OAuth2, and thus they should be defined outside the spec, and just referenced from the spec similar to how we reference other Internet security building blocks like SSL. Those signature standards are likely to in turn reference optional mechanisms for key rotation and discovery, as well as reference different crypto schemes like HMAC or RSA. There are already people in the identity community working on specs that are related to OAuth2, but which have value in other use-cases. For example, there are people working on defining standards around token formats, signing blobs of different types (such as a token and/or HTTP request), key discovery/rotation, and consumer-key namespaces across vendors. Dirk Balfanz from Google recently sent out updated drafts of some of those specs, and they also leverage specs that John Panzer from Google has worked on for Magic Signatures, as well as input from people in the community who are not at Google. However even though Google is working on those specs, we still believe it is a mistake to delay the OAuth2 core spec standard to wait on broad agreement for a "signature proposal," just as it would be a mistake to delay the OAuth2 core spec to wait on the standards efforts around token formats, token signing, key discovery/rotation, consumer-key naming, etc.
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes