Re: [OAUTH-WG] MAC Tokens body hash
Eran Hammer-Lahav <eran@hueniverse.com> Mon, 15 August 2011 16:47 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0AD21F8C37 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 09:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Level:
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OXF1J9LKW9h for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 09:47:44 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id E51C721F8BF8 for <oauth@ietf.org>; Mon, 15 Aug 2011 09:47:43 -0700 (PDT)
Received: (qmail 26913 invoked from network); 15 Aug 2011 16:48:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Aug 2011 16:48:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 15 Aug 2011 09:48:08 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "William J. Mills" <wmills@yahoo-inc.com>, Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 15 Aug 2011 09:46:56 -0700
Thread-Topic: [OAUTH-WG] MAC Tokens body hash
Thread-Index: AcxbatlV4pJDeWUeSfKT9bWlPtPqVQAAASHA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234502498CE9A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B68A58A7-EE11-4CC9-971F-6A58FB88DFBA@kiva.org> <90C41DD21FB7C64BB94121FBBC2E723450245F6626@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C78EE39E-A46B-4540-85E0-280B42527A21@oracle.com> <1312392474.29804.YahooMailNeo@web31801.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E72345024864560@P3PW5EX1MB01.EX1.SECURESERVER.NET> <81B6B8AF-4EC0-4F08-B48C-D1E7B39AE506@oracle.com> <A3E51E9C-22BD-48F2-806A-9BC4411927BB@hueniverse.com> <1312506375.29372.YahooMailNeo@web31802.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1313426763.9579.YahooMailNeo@web31806.mail.mud.yahoo.com>
In-Reply-To: <1313426763.9579.YahooMailNeo@web31806.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234502498CE9AP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 16:47:46 -0000
Let’s just keep ‘ext’ and drop ‘bodyhash’. Seems like this should resolve the issue. EHL From: William J. Mills [mailto:wmills@yahoo-inc.com] Sent: Monday, August 15, 2011 9:46 AM To: Eran Hammer-Lahav; Phil Hunt Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC Tokens body hash "add" doesn't really say it to me either. "ah", short for "additional hash" is somewhat more mnemonic for me, but then I think "ext" isn't horrible because it's a frequent abbreviation for extension. -bill ________________________________ From: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> To: William J. Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>>; Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> Cc: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Sunday, August 14, 2011 11:28 PM Subject: RE: [OAUTH-WG] MAC Tokens body hash How about ‘add’? as in “Used to include additional data in the MAC normalized string”. EHL From: William J. Mills [mailto:wmills@yahoo-inc.com]<mailto:[mailto:wmills@yahoo-inc.com]> Sent: Thursday, August 04, 2011 6:06 PM To: Eran Hammer-Lahav; Phil Hunt Cc: OAuth WG Subject: Re: [OAUTH-WG] MAC Tokens body hash It's the proverbial 'void *client_data;' equivalent. All names for that to date suck, my favorite is 'rock'. ________________________________ From: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> To: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> Cc: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Thursday, August 4, 2011 4:42 PM Subject: Re: [OAUTH-WG] MAC Tokens body hash Ok. We seem to be using different definitions of what application data mean, but have the same use cases in mind. I'll come up with a different name or just keep ext. EHL On Aug 3, 2011, at 12:42, "Phil Hunt" <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote: Only allowing (implied or not) app data is needlessly narrow in scope. Extending MAC to include claims or session information is a perfectly valid thing to do. It improves scalability and reduces the need to look up artifact data. Note: I'd like to share more on this, but I'm prioritizing the Threat Model document. Never-the-less, the above should be a sufficient example about why extensibility is useful. Phil @independentid www.independentid.com<http://www.independentid.com> phil.hunt@oracle.com<mailto:phil.hunt@oracle.com> On 2011-08-03, at 11:03 AM, Eran Hammer-Lahav wrote: My proposal is to change ‘ext’ to ‘app’, keep the same prose as ‘ext’, and add the use case of ‘bodyhash’ as an example. I’m not too stuck on the name, but my thinking is that ‘app’ relays the right message that this is a place where developers can stick any application data they want included. ‘ext’ conveys the idea of extensions which I’m not so thrilled about. In other words, I’d like a developer reading this to feel comfortable using it right away for securing addition bits such as a JSON payload, but I don’t like the idea of someone publishing an I-D with a full syntax and canonicalization requirements for say, singing an entire request, headers and all. I feel that would be much better accomplished by defining a new HTTP authentication scheme. Philosophically, I think extensible authentication schemes are a bad idea. EHL From: William J. Mills [mailto:wmills@yahoo-inc.com]<mailto:[mailto:wmills@yahoo-inc.com]> Sent: Wednesday, August 03, 2011 10:28 AM To: Phillip Hunt; Eran Hammer-Lahav Cc: Ben Adida; OAuth WG; Adam Barth(adam@adambarth.com<mailto:adam@adambarth.com>) Subject: Re: [OAUTH-WG] MAC Tokens body hash In thinking about this I'm coming around to the viewpoint that a single additional predefined spot is sufficient. If the app developer wants to include addtional data there (iun the specified format) that's fine. If what they want to do is include a signature of other payload that's fine too. I'm not in love with the name "app" though, "ext" is better. ________________________________ From: Phillip Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> To: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> Cc: Ben Adida <ben@adida.net<mailto:ben@adida.net>>; OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>; "Adam Barth(adam@adambarth.com<mailto:adam@adambarth.com>)" <adam@adambarth.com<mailto:adam@adambarth.com>> Sent: Tuesday, August 2, 2011 7:14 PM Subject: Re: [OAUTH-WG] MAC Tokens body hash Phil On 2011-08-02, at 18:02, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: The idea is to drop 'ext' and 'bodyhash' due to being underspecified and therefore causing more harm than good. I added 'ext' to allow for application specific data to be included in the signed content. However, the name suggests this is an extension point for future specifications. I believe authentication schemes should not be extensible in ways that affect their security or interop properties and without additional text (registry, process, etc) for the 'ext' parameter, it will cause more issues than help. Instead of the 'ext' parameter I am suggesting the 'app' parameter which will do the same, but will be better positioned as an application-specific data. The prose will go a step further and recommend that the parameter value include a hash of the data, not the data itself. This is to ensure the parameter does not become part of the payload which is inappropriate for HTTP requests. -1 what you describe appears to be a separate feature from ext As for the 'bodyhash' parameter, I would like to remove it because it is underspecified (we had an actual deployment experience showing that it doesn't produce interoperable implementations due to the many HTTP body transformation applied in most frameworks). Solving this issue is not possible due to the many different types of bodies and frameworks (and clearly operating on the "raw" body doesn't work). Instead, developers can use the new 'app' parameter to accomplish that. +1 As for the normalized string, it will be adjusted to reflect these changes when they are made, so no placeholders which will require code change. Considering this is -00, it is clearly not a stable document. Will these changes work with your use cases? EHL -----Original Message----- From: Skylar Woodward [mailto:skylar@kiva.org]<mailto:[mailto:skylar@kiva.org]> Sent: Tuesday, August 02, 2011 4:02 PM To: Eran Hammer-Lahav Cc: OAuth WG; Ben Adida; 'Adam Barth (adam@adambarth.com<mailto:adam@adambarth.com>)' Subject: Re: [OAUTH-WG] MAC Tokens body hash hurrah! (not necessarily for losing a way to sign the body, but for simplicity and avoiding some of the potential inconsistencies w/ bodyhash). Is your plan to reserve an empty line 6 for the Normalized Request String (which was used for bodyhash) or eliminate it, brining the total to six elements? skylar On Jul 30, 2011, at 3:43 AM, Eran Hammer-Lahav wrote: I plan to drop support for the bodyhash parameter in the next draft based on bad implementation experience. Even with simple text body, UTF encoding has introduced significant issues for us. The current draft does not work using simple JS code between a browser and node.js even when both use the same v8 engine due to differences in the body encoding. Basically, the JS string used to send a request from the browser is not the actual string sent on the wire. To fix that, we need to force UTF-8 encoding on both sides. However, that is very much application specific. This will not work for non-text bodies. Instead, the specification should offer a simple way to use the ext parameter for such needs, including singing headers. And by offer I mean give examples, but leave it application specific for now. I am open to suggestions but so far all the solutions I came up with will introduce unacceptable complexity that will basically make this work useless. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash William J. Mills
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash William J. Mills
- Re: [OAUTH-WG] MAC Tokens body hash Phil Hunt
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Phil Hunt
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Skylar Woodward
- Re: [OAUTH-WG] MAC Tokens body hash Barry Leiba
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Phillip Hunt
- Re: [OAUTH-WG] MAC Tokens body hash William J. Mills
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Phil Hunt
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash William J. Mills
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash William J. Mills
- Re: [OAUTH-WG] MAC Tokens body hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC Tokens body hash Phillip Hunt