Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Luke Shepard <lshepard@facebook.com> Tue, 28 September 2010 16:15 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 893263A6D49 for <oauth@core3.amsl.com>; Tue, 28 Sep 2010 09:15:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.948
X-Spam-Level:
X-Spam-Status: No, score=-101.948 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id co5ZN5Rxvkeh for <oauth@core3.amsl.com>; Tue, 28 Sep 2010 09:15:46 -0700 (PDT)
Received: from mx-out.facebook.com (outmail020.snc4.facebook.com [66.220.144.152]) by core3.amsl.com (Postfix) with ESMTP id DAC473A6CB9 for <oauth@ietf.org>; Tue, 28 Sep 2010 09:15:45 -0700 (PDT)
Received: from [192.168.18.212] ([192.168.18.212:16080] helo=mail.thefacebook.com) by mta013.snc4.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id D1/C9-03474-7D412AC4; Tue, 28 Sep 2010 09:16:23 -0700
Received: from SC-MBX05.TheFacebook.com ([169.254.4.4]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Tue, 28 Sep 2010 09:16:23 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Thread-Topic: [OAUTH-WG] Looking for a compromise on signatures and other open issues
Thread-Index: Actez1CK1yneinyMRserD5y1FIwYngAk9jKA
Date: Tue, 28 Sep 2010 16:16:21 +0000
Message-ID: <52829A19-0E1B-4FD3-97BB-EEDFCA0898DF@facebook.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_52829A190E1B4FD397BBEEDFCA0898DFfacebookcom_"
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 16:15:48 -0000

Eran-

Thanks for writing a great explanation of where we are so far. I agree that it makes sense to logically separate "getting a token" from "using a token", and we should structure it so that there can be extension specs about how to use a token. It also seems clear that we should do some more work to build consensus on signature method. Both great points.

As far as the charter: this workgroup has had a focus on building an interoperable, easy-to-use, developer-friendly standard that is actually used. With the goal of market adoption, we should strive to codify those practices that will people will use. Bearer tokens are already widely adopted - Facebook, Twitter, Google, Microsoft, and others are already using this. While I understand that there are some security considerations, on balance, these companies have chosen that it's an acceptable tradeoff. In the interest of interoperability, doesn't it make sense to include the way that many people are going to use it in the spec?

Anyway, by defining a default parameter, aren't we already admitting that the spec isn't complete without bearer tokens anyway?

On Sep 27, 2010, at 11:25 PM, Eran Hammer-Lahav wrote:

(Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.)

--- IETF Process

For those unfamiliar with the IETF process, we operate using rough consensus. This means most people agree and no one strongly objects. If someone strongly objects, it takes a very unified group to ignore that person, with full documentation of why the group chose to do so. That person can raise the issue again during working group last call, area director review, and IETF last call - each has the potential to trigger another round of discussions with a wider audience. That person can also appeal the working group decision before it is approved as an RFC.

The process is managed by the working group chairs. The chairs elect the editor and make consensus calls. So far this working group had only a few consensus calls (breaking the 1.0a RFC into two parts and dropping these in favor of a unified WRAP + 1.0a draft). From my experience and understanding of the process, this working group does not have rough consensus on any of the open items to make consensus calls and close the issues. Simply dismissing the few objections raised will not accomplish finishing the document sooner, but will only add more rounds of debates now and at a later time.

One of the problems we have is that we work without a charter. Usually, the charter is the most useful tool chairs have when limiting scope and closing debates. For example, had we fixed the charter last year to explicitly say that we will publish one document with both bearer tokens and signatures, the chairs could have ended this argument by pointing to the charter. Since we have no charter, the chairs have little to offer in terms of ending these disagreements. We never officially agreed what we are here to solve.

The reality of this working group is that we need to find a way to make everyone happy. That includes every one of those expressing strong opinions. Any attempt to push people around, dismiss their views, or reject reasonable compromises will just keep the issues open. If this small group cannot reach agreement, the specification will surely fall apart during working group last call, area director review, IETF last call, application area review, security area review, general area review, IANA review, and IESG review.

It’s a long process, and at each step, anyone can raise their hand and object. A united working group is the most important tool to end discussions over objections and concerns raised at each step. It also give people the confidence to implement a working group final draft before it is published as an RFC (because it is much less likely to change).

--- Open Issues

This working group has failed to reach consensus on a long list of items, among them are the inclusion of signatures, signatures format, use of HTTP authentication headers, restrictions on bearer tokens, support for specific profiles, etc. While many of these items faded away, I would not be surprise to see them all come back.

The current argument over signatures ignores compromises and agreements reached over the past two years. This working group explicitly rejected WRAP as the replacement for OAuth 1.0 and the whole point of combining 1.0a with WRAP was the inclusion of signatures. We reached another agreement to keep signatures at the Anaheim meeting. The current draft is a version of WRAP alone.

There are currently three separate threads going on:

1. OAuth 1.0a style signatures vs. JSON proposals
2. Including a signature mechanism in core
3. Concerns about bearer tokens and HTTPS

The first item will not be resolved because we are not going to reach industry consensus over a single signature algorithm (this is a general comment, not specific to these two proposals). The only thing we can do is let those who care about each solution publish their own specification and let the market decide.
The second item, while it was part of the very first compromise this working group made (when we combined the two specifications), cannot be resolved because of #1. We can’t agree on which signature method to include, and including all is not practical. For these reasons, including a signature algorithm in core is not likely to happen. I have made some proposals but they received instant negative feedback which means we have no consensus.

The third item has also been debated and blogged for a long time and is not going to be resolved in consensus. Instead, we will need to find the right language to balance security concerns with the reality that many providers are going to deploy bearer tokens no matter what the IETF says. The OAuth 1.0a RFC was blocked by the IESG until the PLAINTEXT method required HTTPS, and I would expect the same issue to come up with the current draft.
--- Proposal

1. Add a parameter to the token response to include an extensible token scheme.

The default (if omitted) will be whatever the bearer token scheme is called. This will allow the authorization server to return any token type it deems appropriate, and for other specifications to define additional parameters such as token_secret. Others can extend the token request endpoint by allow the client to request a specific token scheme.

2. Break the core specification into multiple parts.

Go back to the original working group consensus to break the document into two parts: getting a token and using a token. Getting a token will include everything from core expect for section 5. Section 5 will become a new specification which will describe how to use a bearer token (replacing the generic ‘OAuth’ scheme with something more descriptive like).

3. Introduce two signature proposals in one or more documents, for the JSON token and 1.0a-like method.

One, both, or none can become working group item.

--- Benefits

1. Remove the HTTP binding from the core specification, leaving it transport agnostic for using access tokens.

2. Solve a few open issues:

* Concerns over bearer tokens as the preferred/promoted/default token method.
* The use of one or more HTTP authentication schemes, and the general architecture of using tokens.
* Issues around scheme names.
* Concerns over requiring HTTPS will be limited to only one part of the protocol.
* The need to pick one signature format.
* The need to finish signatures before the core (‘how to get an access token’).
* The need to decide on discovery for the entire protocol (moves it to each scheme).

3. Allow moving the core specification to last call within a few weeks (and maybe also the bearer token part).

--- Downside

The only downside of this approach is that people will need to read at least two documents. It will not take any more effort or time, just some guidance.

--- Request for feedback

This proposal represents a purely editorial compromise. I believe it gives everyone enough to move forward. It has no impact on implementations. By breaking the problem into pieces, we allow those who strongly disagree to simply disengage that work and focus on the parts that matter to them.

EHL


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth