IETF Logo Mail Archive

Re: [OAUTH-WG] Signatures, Why?

John Panzer <jpanzer@google.com> Tue, 16 March 2010 06:23 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 297D23A682B for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 23:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level:
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WP7nyWwu4-E6 for <oauth@core3.amsl.com>; Mon, 15 Mar 2010 23:22:59 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id D5DB43A67E2 for <oauth@ietf.org>; Mon, 15 Mar 2010 23:22:57 -0700 (PDT)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id o2G6Mtxa016474 for <oauth@ietf.org>; Tue, 16 Mar 2010 07:23:00 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1268720581; bh=cUOa2erSo2RH+hGTtykcz6slzn4=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=T4Q/u/yHvSgwPYnUg38vwEAkPEGKio4lAxf6/njqRdC30UjzKkhBnqwPI4aldMlGJ dwFTHLVieGLHkxY2AnIxw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=VyHCT+Yp84s7JfAoeKpjd6YcTDjzWNGp4uPacWO93wS6T8hlwinbFKGCBrkLmxw0W byMeDjTiDdEQoUYJgg6sg==
Received: from ywh28 (ywh28.prod.google.com [10.192.8.28]) by wpaz1.hot.corp.google.com with ESMTP id o2G6Mr52015374 for <oauth@ietf.org>; Mon, 15 Mar 2010 23:22:53 -0700
Received: by ywh28 with SMTP id 28so2253036ywh.8 for <oauth@ietf.org>; Mon, 15 Mar 2010 23:22:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.54.5 with SMTP id c5mr4644529ana.81.1268720573346; Mon, 15 Mar 2010 23:22:53 -0700 (PDT)
In-Reply-To: <4B9EB99F.1050609@lodderstedt.net>
References: <d37b4b431003041200n1fc6cc5au83194aca28763b0d@mail.gmail.com> <4B99B2DD.3000405@stpeter.im> <4B99D783.1090905@lodderstedt.net> <4B9EB99F.1050609@lodderstedt.net>
From: John Panzer <jpanzer@google.com>
Date: Mon, 15 Mar 2010 23:22:33 -0700
Message-ID: <cb5f7a381003152322m5c6ec744nb8336e329860439e@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="001485f9139618021b0481e50769"
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Signatures, Why?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 06:23:00 -0000

I'm confused by one "pro" for signatures:

"Protect integrity of whole request - authorization data and payload when
communicating over unsecure channel"

I do not believe there is an existing concrete proposal that will protect
the whole request, unless you add additional restrictions on the request
types -- e.g., only HTTP GET or POST with form-encoded data variables only.

If the assertion is that signatures will actually provide integrity for
arbitrary HTTP request bodies as well as the URL, authority, and HTTP
method:   I would like to see at least one concrete proposal that will
accomplish this.   IIRC there's only one that I think is possibly
implementable in an interoperable way, and it supports only JSON payloads.
 In other words, anyone using body signing would need to wrap their data in
JSON to do it.  (This is not necessarily the worst thing in the world, of
course, but it is something to be taken into account when listing pros and
cons.)

On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

>  Hi all,
>
> I composed a detailed summary at
> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy. Please review
> it.
>
> @Zachary: I also added some of your recent notes.
>
> regards,
> Torsten.
>
>  I volunteer to write it up.
>
> <hat type='chair'/>
>
> On 3/4/10 1:00 PM, Blaine Cook wrote:
>
>
>  One of the things that's been a primary focus of both today's WG call
> and last week's call is what are the specific use cases for
> signatures?
>
> - Why are signatures needed?
> - What do signatures need to protect?
>
> Let's try to outline the use cases! Please reply here, so that we have
> a good idea of what they are as we move towards the Anaheim WG.
>
>
>  This was a valuable thread. Perhaps someone could write up a summary of
> the points raised, either on the list or at the wiki?
>
> Peter
>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email