IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Peter Saint-Andre <stpeter@stpeter.im> Tue, 01 December 2009 02:10 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C5A43A6AB2 for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 18:10:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8V6ZCuDx3JCx for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 18:10:12 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 875753A6405 for <oauth@ietf.org>; Mon, 30 Nov 2009 18:10:10 -0800 (PST)
Received: from squire.local (dsl-175-187.dynamic-dsl.frii.net [216.17.175.187]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7085D40D16; Mon, 30 Nov 2009 19:10:02 -0700 (MST)
Message-ID: <4B147AF9.5060506@stpeter.im>
Date: Mon, 30 Nov 2009 19:10:01 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Brian Eaton <beaton@google.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <4A956CE47D1066408D5C7EB34368A5110551FFC1@S4DE8PSAAQC.mitte.t-com.de> <daf5b9570911111754u49f72a0aia59814b5da497a51@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102B49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911120745w2f576d1ej300723581e50f03f@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102E58@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cb5f7a380911130837q40d07388y1ae9b472be0ae57a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785102F1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <A4E79C63-7B5C-4FBA-9DDA-5FEB35B9584D@microsoft.com> <a9d9121c0911301432y76487b39hed670f0ed609c768@mail.gmail.com> <daf5b9570911301614u1394e71cw8ef913cae7e5b21@mail.gmail.com>
In-Reply-To: <daf5b9570911301614u1394e71cw8ef913cae7e5b21@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms060809040108000301050508"
Cc: Dick Hardt <Dick.Hardt@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 02:10:14 -0000

<hat type='individual'/>

On 11/30/09 5:14 PM, Brian Eaton wrote:
> On Mon, Nov 30, 2009 at 2:32 PM, Mike Malone <mjmalone@gmail.com> wrote:
>> If we were coming up with a more secure replacement for browser-based
>> HTTP basic auth (and looking at Aza Raskin's work with identity in
>> Firefox, OAuth in the browser doesn't appear to be that far off) would
>> you want to mandate that all auth'd HTTP traffic use TLS? Not sure if
>> the answer is yes or no, but I'm guessing many of the
>> advantages/drawbacks will be the same.
> 
> We should be really cautious about claiming that *anything* we do
> replaces TLS.  I've seen at least one academic paper criticizing OAuth
> on the basis that OAuth was designed to be secure in the absence of
> TLS, yet doesn't actually achieve that goal.

And given that TLS isn't even as secure as we thought it was (cf. the
current issues with a renegotiation attack), we really should be doubly
cautious about security technologies (like OAuth 1.0 signatures) that
have experienced significantly less implementation and deployment than
SSL/TLS (which is one of the few successful security technologies).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email