Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

"Manger, James H" <> Thu, 09 February 2012 06:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 99AFB21F85C2 for <>; Wed, 8 Feb 2012 22:51:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=-2.048, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 99glduO-NuQ8 for <>; Wed, 8 Feb 2012 22:51:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8B66321F8575 for <>; Wed, 8 Feb 2012 22:51:11 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.73,388,1325422800"; d="scan'208";a="61668987"
Received: from unknown (HELO ([]) by with ESMTP; 09 Feb 2012 17:51:10 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6614"; a="50311615"
Received: from ([]) by with ESMTP; 09 Feb 2012 17:51:10 +1100
Received: from ([]) by ([]) with mapi; Thu, 9 Feb 2012 17:51:09 +1100
From: "Manger, James H" <>
To: Eran Hammer <>, "" <>
Date: Thu, 09 Feb 2012 17:51:08 +1100
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
Thread-Index: Aczmin72I/oJpkoTSO+o8M4FxeCnXQAAACOQABVWq0A=
Message-ID: <>
References: <> <90C41DD21FB7C64BB94121FBBC2E723453AADDD3F6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Feb 2012 06:51:29 -0000

Eran, a couple of comments on the new MAC spec:

The example (§1.1) does not seem to be correct. That is, I calculate mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value.

The example in §3.2.1 has a typo. It says "using timestamp "264095:7d8f3e4a"", but should say "using timestamp "264095"".

Timestamp verification (§4.1) is described as preventing replay attacks. However, the 3 dot points that server  MUST do only ensure that requests (other than the first) are approximately fresh (assuming the first was fresh). Of course, it is fairly obvious that the service can keep a copy of {ts,nonce,id} tuples (while the ts is still approximately fresh) to detect replays.

When the ts field is defined (§3.1) it is probably worth mentioning that the fixed point in time (epoch) chosen to calculate ts MUST remain the same for the lifetime of the key. That is, a client app cannot pick a new epoch each time it starts if it is using the same key across restarts.

Personally, I would almost prefer it to say: ts is seconds since 1970 were possible; clients without a real-time clock can choose an arbitrary epoch, but it must remain the same for the lifetime of the key; servers SHOULD NOT assume client clocks are well synchronized to their own. It is RECOMMENDED that a server assumes the 1st request with a given key is fresh, and use the ts value in that request to determine the offset between the client & servers clocks. That offset (assumed to remain constant) can be used to determine if subsequent requests are fresh.

James Manger

-----Original Message-----
From: [] On Behalf Of Eran Hammer
Sent: Thursday, 9 February 2012 4:55 AM
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

Main changes:

Removed cookies support
Removed body hash
Clarified timestamp verification

I still have more comments to process but wanted to get a new draft out first as the current one expired.

Please review the new timestamp prose and let me know what you think. I'm trying to allow the client to use any timestamp it can easily produce, and move the verification logic to the server as much as possible.


> -----Original Message-----
> From: [] On Behalf
> Of
> Sent: Wednesday, February 08, 2012 9:52 AM
> To:
> Cc:
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol Working Group of
> the IETF.
> 	Title           : HTTP Authentication: MAC Access Authentication
> 	Author(s)       : Eran Hammer-Lahav
> 	Filename        : draft-ietf-oauth-v2-http-mac-01.txt
> 	Pages           : 20
> 	Date            : 2012-02-08
>    This document specifies the HTTP MAC access authentication scheme, an
>    HTTP authentication method using a message authentication code (MAC)
>    algorithm to provide cryptographic verification of portions of HTTP
>    requests.  The document also defines an OAuth 2.0 binding for use as
>    an access-token type.
> A URL for this Internet-Draft is: