IETF Logo Mail Archive

Re: [OAUTH-WG] Basic signature support in the core specification

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Mon, 27 September 2010 16:50 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 678DF3A6B5A for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.763
X-Spam-Level:
X-Spam-Status: No, score=-1.763 tagged_above=-999 required=5 tests=[AWL=-0.570, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vhi7hPEEkVth for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 09:50:30 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 70E623A6D33 for <oauth@ietf.org>; Mon, 27 Sep 2010 09:50:28 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o8RGp6Ah004576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 27 Sep 2010 11:51:06 -0500 (CDT)
Received: from [135.222.134.173] (faynberg-c1.mh.lucent.com [135.222.134.173]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o8RGgNHs023271; Mon, 27 Sep 2010 11:42:23 -0500 (CDT)
Message-ID: <4CA0C96E.8090907@alcatel-lucent.com>
Date: Mon, 27 Sep 2010 12:42:22 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Eve Maler <eve@xmlgrrl.com>
References: <C8C2AB33.3AD38%eran@hueniverse.com> <BFD0447E-42BB-441F-A7B3-B0CFB0F6317B@gmail.com> <E0B0A685-4BA7-451B-B0DF-C0FC429595D1@xmlgrrl.com>
In-Reply-To: <E0B0A685-4BA7-451B-B0DF-C0FC429595D1@xmlgrrl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic signature support in the core specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 16:50:31 -0000

I think Torsten's previous comment explains it well: We cannot expect 
approval of the core, if security is not sufficiently addressed. I also 
agree that it cannot be addressed without the signature mechanism 
clearly specified. Therefore, if anything is going to delay the core, it 
is the absence of the signature specification. A dangling reference to 
work in progress won't help; the referred spec must be there.

But if both the OAuth signatures and the OAuth core specifications are 
complete and going for approval at the same time, why not actually have 
them in the same spec, especially given that we experts who have agreed 
working on this and ARE working on this?

Igor



Eve Maler wrote:
> It seems like you figured it out pretty quickly, given the message you 
> sent immediately after. :-)
>
> Referencing another spec from the core spec using normative text is 
> effectively "including it by reference". I meant that I'm sympathetic 
> (+1) to signaling in core OAuth that signatures are to be considered 
> an integral part of it, and that if it makes sense to do so by 
> pointing to a spec module that is pointable-to by other specs that are 
> not OAuth, that's fine (call it a soft -1 to including the signature 
> details directly in the core OAuth spec).
>
> Eve
>
> On 24 Sep 2010, at 10:39 PM, Dick Hardt wrote:
>
>> wrt. developers knowing what they need => I think the AS / PR will 
>> tell developers if they need to use signatures, or if they need to 
>> use HTTPS, or if they need to use assertions. 
>>
>> Sorry for including more than one topic in my email :: my main point 
>> was that I was confused by what Eve was proposing.
>>
>> -- Dick
>>
>>
>> On 2010-09-24, at 7:23 PM, Eran Hammer-Lahav wrote:
>>
>>> Most developers don’t know if they need signatures! By putting them 
>>> elsewhere we will be promoting the bearer token approve as the 
>>> default choice and that’s unacceptable to me. It is promoting a 
>>> specific security compromise (for developer ease) that is far from 
>>> industry consensus.
>>>
>>> I can make the same arguments about assertions. Or any single 
>>> profile. Or any client credentials type. The bits that are in are 
>>> based solely on a team effort in trying to accommodate as many 
>>> people as possible. Seems like those opposed signatures got 
>>> everything they want, don’t really care about others, and are ready 
>>> to call it a day.
>>>
>>> EHL
>>>
>>>
>>> On 9/24/10 5:20 PM, "Dick Hardt" <dick.hardt@gmail.com 
>>> <x-msg://12/dick.hardt@gmail.com>> wrote:
>>>
>>>     That's a confusing answer Eve. Is it in the spec or pointed to
>>>     from the spec?
>>>
>>>     I think there is consensus that there are enough use cases that
>>>     signatures need to be spec'ed -- the question is if the
>>>     signature spec is in core or a separate spec.
>>>
>>>     For people that don't need signatures, having them separate
>>>     keeps the core spec simpler. Having a separate spec enables
>>>     other groups to reuse the signature mechanism without confusing
>>>     their readers with the rest of the OAuth spec.
>>>
>>>     On 2010-09-24, at 1:37 PM, Eve Maler wrote:
>>>
>>>     > +1 for signature support in the core spec (which may look like
>>>     normative pointers out to a separate spec module if it turns out
>>>     there's wider usage for that module beyond OAuth).
>>>     >
>>>     >       Eve
>>>     >
>>>     > On 23 Sep 2010, at 6:43 PM, Eran Hammer-Lahav wrote:
>>>     >
>>>     >> Since much of this recent debate was done off list, I'd like
>>>     to ask people
>>>     >> to simply express their support or objection to including a
>>>     basic signature
>>>     >> feature in the core spec, in line with the 1.0a signature
>>>     approach.
>>>     >>
>>>     >> This is not a vote, just taking the temperature of the group.
>>>     >>
>>>     >> EHL
>>>     >>
>>>     >> _______________________________________________
>>>     >> OAuth mailing list
>>>     >> OAuth@ietf.org <x-msg://12/OAuth@ietf.org>
>>>     >> https://www.ietf.org/mailman/listinfo/oauth
>>>     >
>>>     >
>>>     > Eve Maler
>>>                                      http://www.xmlgrrl.com/blog
>>>     > +1 425 345 6756
>>>                             http://www.twitter.com/xmlgrrl
>>>     >
>>>     > _______________________________________________
>>>     > OAuth mailing list
>>>     > OAuth@ietf.org <x-msg://12/OAuth@ietf.org>
>>>     > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>
>
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email