Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 01 June 2011 12:43 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4FEE0B86; Wed, 1 Jun 2011 05:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nz26MaXCl7YQ; Wed, 1 Jun 2011 05:43:49 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 24705E0825; Wed, 1 Jun 2011 05:16:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 5A5E4153CD3; Wed, 1 Jun 2011 13:16:23 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1306930582; bh=B0uyx00XBLNKek /AwackzC4lMLYhoqEs4LxaRC2jnNM=; b=tMavOGikYAMNQZ3FGsFmgf9xFXM1Km EZc3+c2ZtVwIDlvpHiX8SUK1C6nwaSw60ySI0fPsWrtQqarRmS2IT/2/BC1rXMpY FgX6obZChRXJ/hJCt0njxxiVe1Ubn6c6pAJ/c+pzFVfmo6hh9J9+PHItrHHEShv6 o/GrfkIxmGNSsUnLHw/v7U9XXTpM4tzu5rc8aG9m1hQUU+oe50fTY/mg0kP9AcQm ZLBzjZWbP9sSbr3mfEP9KnserDJgnD7+PzMmSVgZ1Wq6ROQts+V4saJWLDMB1W93 8TNOZKEuTagsadkbaEJExC8wT2Y+s8H2o60XLMuBwFjnOTaGfPBf4bDQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id bfMUO+l4uhr5; Wed, 1 Jun 2011 13:16:22 +0100 (IST)
Received: from [10.87.48.4] (unknown [86.45.55.19]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 31630153CD2; Wed, 1 Jun 2011 13:16:19 +0100 (IST)
Message-ID: <4DE62D93.7040009@cs.tcd.ie>
Date: Wed, 01 Jun 2011 13:16:19 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net>
In-Reply-To: <EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2011 12:43:52 -0000
Just on DOSETA - that's not currently got any official home in the IETF so its not something that would be right to reference at this point (unless the oauth WG wanted to adopt DOSETA but I'd be very surprised if that were the case for timing reasons). However I do agree that keeping in mind that folks may move towards something like DOESTA in future is a good plan. To be clear, as an individual, I do think that "something like DOSETA" is a really good idea and maybe DOSETA will turn out to be that something, I don't know. S. On 01/06/11 00:57, Mark Nottingham wrote: > Hi, > > Reading draft -05. > > The "normalized request string" contains the request-URI and values extracted from the Host header. Be aware that intermediaries can and do change these; e.g., they may change an absolute URI to a relative URI in the request-line, without affecting the semantics of the request. See [1] for details (it covers other problematic conditions too). > > It would be more robust to calculate an effective request URI, as in [2]. > > Also, if you include a hash of the request body, you really need to include a hash of the body media type. > > Generally, I think that people can and will want to include other headers; just because *some* developers can't get this right doesn't mean we should preclude *all* developers from doing it. It'd be really nice to see this either leverage DOSETA [3][4], or at least offer a clean transition path to it. > > Regards, > > 1. http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.1.2 > 2. http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.3 > 3. http://tools.ietf.org/html/draft-crocker-dkim-doseta-00 > 4. http://tools.ietf.org/html/draft-crocker-doseta-base-02 > > > On 10/05/2011, at 5:22 AM, Eran Hammer-Lahav wrote: > >> (Please discuss this draft on the Apps-Discuss <apps-discuss@ietf.org> mailing list) >> >> http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token >> >> The draft includes: >> >> * An HTTP authentication scheme using a MAC algorithm to authenticate requests (via a pre-arranged MAC key). >> * An extension to the Set-Cookie header, providing a method for associating a MAC key with a session cookie. >> * An OAuth 2.0 binding, providing a method of returning MAC credentials as an access token. >> >> Some background: OAuth 1.0 introduced an HTTP authentication scheme using HMAC for authenticating an HTTP request with partial cryptographic protection of the HTTP request (namely, the request URI, host, and port). The OAuth 1.0 scheme was designed for delegation-based use cases, but is widely “abused” for simple client-server authentication (the poorly named ‘two-legged’ use case). This functionality has been separated from OAuth 2.0 and has been reintroduced as a standalone, generally applicable HTTP authentication scheme called MAC. >> >> Comments and feedback is greatly appreciated. >> >> EHL >> _______________________________________________ >> apps-discuss mailing list >> apps-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/apps-discuss > > -- > Mark Nottingham http://www.mnot.net/ > > > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss >
- [OAUTH-WG] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [OAUTH-WG] HTTP MAC Authentication Scheme Justin Richer
- Re: [OAUTH-WG] HTTP MAC Authentication Scheme Peter Wolanin
- Re: [OAUTH-WG] HTTP MAC Authentication Scheme Justin Richer
- Re: [OAUTH-WG] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [OAUTH-WG] HTTP MAC Authentication Scheme Adam Barth
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Nico Williams
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Eran Hammer-Lahav
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Nico Williams
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Mark Nottingham
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Stephen Farrell
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Eran Hammer-Lahav
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Mark Nottingham
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Adam Barth
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Eran Hammer-Lahav
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Dave CROCKER
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Mark Nottingham
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Stephen Farrell
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Adam Barth
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Igor Faynberg
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Adam Barth
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… William J. Mills
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… William J. Mills
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP M… Mark Nottingham
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Randy Fischer
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Eran Hammer-Lahav
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP M… Breno de Medeiros
- Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP M… Nico Williams
- Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP M… Bjartur Thorlacius
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Robert Sayre
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Adam Barth
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Paul E. Jones
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Eran Hammer-Lahav
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP M… Bjartur Thorlacius
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Eran Hammer-Lahav
- Re: [OAUTH-WG] [apps-discuss] HTTP MAC Authentica… Mark Nottingham