Re: [OAUTH-WG] MAC: body-hash
Peter Wolanin <peter.wolanin@acquia.com> Thu, 24 November 2011 13:02 UTC
Return-Path: <peter.wolanin@acquia.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEEBD21F8B9C for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2011 05:02:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIXx+GCfPMFg for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2011 05:02:42 -0800 (PST)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by ietfa.amsl.com (Postfix) with SMTP id 3EDB421F8BA0 for <oauth@ietf.org>; Thu, 24 Nov 2011 05:02:42 -0800 (PST)
Received: from mail-qy0-f177.google.com ([209.85.216.177]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKTs5AbwE46wKNTPhQRLtnYK9OvKjW/3Xv@postini.com; Thu, 24 Nov 2011 05:02:42 PST
Received: by qyk4 with SMTP id 4so688371qyk.36 for <oauth@ietf.org>; Thu, 24 Nov 2011 05:02:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.50.65 with SMTP id a1mr9471615obo.17.1322139756846; Thu, 24 Nov 2011 05:02:36 -0800 (PST)
Received: by 10.182.30.228 with HTTP; Thu, 24 Nov 2011 05:02:36 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAH0thKCUN9+Q47ZkGPzvfk81S0yUXxzxD8XURJP=p-ZBvOJ6pw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234526735F30E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 24 Nov 2011 08:02:36 -0500
Message-ID: <CAH0thKAnBDr23DpPdONUiGekkNrd52AXUcBTjHDWQJky47T6fw@mail.gmail.com>
From: Peter Wolanin <peter.wolanin@acquia.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC: body-hash
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2011 13:02:46 -0000
I'd lobby for something more than just prose, since for me, including the body or body hash in the HMAC is a pretty essential piece of security for any real implementation. I understand that you think it should not be 100% required by all servers, and hence should not be a specified field, but then I think it should be something like a "standard" extension. For example, retain some of the existing text describing the bodyhash as using the same algorithm as the HMAC and show an example like: ext="bodyhash:k9kbtCIy0CkI3/FEfpS/oIDjk6k=" Are there any other specific things you see as common examples of ext values? Is there a suggested system for indicating or separating multiple ext values? It seems to me without a standardized way to include the body hash in the ext field, you immediately invite more diversity in implementations. It would also seem by putting it in the ext field, any client could include the hash even if the server doesn't require it? Best, Peter On Thu, Nov 24, 2011 at 12:21 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > In prose, sure. But I'd rather not go further than that. > > EHL > >> -----Original Message----- >> From: Peter Wolanin [mailto:peter.wolanin@acquia.com] >> Sent: Wednesday, November 23, 2011 11:53 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] MAC: body-hash >> >> As long as a specific service can make an ext containing the body hash >> required, I think this is fine. Can the spec include body hash as an example of >> an ext? >> >> Thanks, >> >> Peter >> >> On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav >> <eran@hueniverse.com> wrote: >> > I want to reaffirm our previous consensus to drop the body-hash >> > parameter and leave the ext parameter. Body-hash as currently >> > specified is going to cause significant interop issues due to >> > character (and other) encoding issues. Providers who desire to MAC the >> > body can define their own ext use case. >> > >> > >> > >> > Let me know if you have an objection to this change. >> > >> > >> > >> > EHL >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> >> >> >> -- >> Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. >> peter.wolanin@acquia.com : 781-313-8322 >> >> "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com" -- Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. peter.wolanin@acquia.com : 781-313-8322 "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"
- [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: body-hash William Mills
- Re: [OAUTH-WG] MAC: body-hash Phil Hunt
- Re: [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: body-hash Peter Wolanin
- Re: [OAUTH-WG] MAC: body-hash Peter Wolanin
- Re: [OAUTH-WG] MAC: body-hash Eran Hammer-Lahav