Re: [woes] Native JWT support in Google App Engine
Jian <sonicgg@gmail.com> Sun, 17 April 2011 19:54 UTC
Return-Path: <sonicgg@gmail.com>
X-Original-To: woes@ietfc.amsl.com
Delivered-To: woes@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 00D03E06F9 for <woes@ietfc.amsl.com>; Sun, 17 Apr 2011 12:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_BACKHAIR_33=1, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUoJ30xreHV1 for <woes@ietfc.amsl.com>; Sun, 17 Apr 2011 12:53:58 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfc.amsl.com (Postfix) with ESMTP id 6F435E070B for <woes@ietf.org>; Sun, 17 Apr 2011 12:53:58 -0700 (PDT)
Received: by pzk30 with SMTP id 30so2304637pzk.31 for <woes@ietf.org>; Sun, 17 Apr 2011 12:53:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9PzTFNur7zGrsGfLk3BYzFsjZeuzCrShmkQd5+09T54=; b=GtZR9Uo2nkBxW3ce3Jz2Fz9ooF7S9E3TBvxuBtiJry3AZrYSvkmOrhXm9uTcjIuR9e JkmM6XE1TFa4J7+BWLjOi5TBuhoNdhNNrlsyyeZAO24St5uHPcy7XpEqTqqwa3oLw49m G7CBal0fepJA73hu7rlNj7qVhLASrwI0RJkgM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=SFS6oVE3zfoTwIJmABrGQx9dddPBatbVCc/Jj8f8br/H+PpFrEPb7+f1MCh3r5MzbU 5K94ZF5rGm3mbKrMNXEYeyf2IPuqehXNkBuwZAHWPKE6NMv34LoHO6otKjSpBasAZjxu 5q/iD8SpA34cyOc6dN4/Bym4v2nizqpMYw1Bg=
MIME-Version: 1.0
Received: by 10.68.30.39 with SMTP id p7mr5549797pbh.34.1303070037770; Sun, 17 Apr 2011 12:53:57 -0700 (PDT)
Received: by 10.68.52.3 with HTTP; Sun, 17 Apr 2011 12:53:57 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11281FB7FF1@WSMSG3153V.srv.dir.telstra.com>
References: <BANLkTikAd0gbN2x8cWQQRZXwehugCE3tXw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11281FB7FF1@WSMSG3153V.srv.dir.telstra.com>
Date: Sun, 17 Apr 2011 12:53:57 -0700
Message-ID: <BANLkTi=QW23T1if4YAFgx1e7JzdaHZkdjw@mail.gmail.com>
From: Jian <sonicgg@gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="bcaec520ef81b8004f04a122a237"
Cc: "woes@ietf.org" <woes@ietf.org>
Subject: Re: [woes] Native JWT support in Google App Engine
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Apr 2011 19:54:00 -0000
Hey James, You are right. In real cases, we should rely on HTTPS to transmit certificates. Since it's just a sample app, I omit HTTPS setup for simplicity. I will add this to the document. Thanks. Jian On Thu, Apr 14, 2011 at 11:03 PM, Manger, James H < James.H.Manger@team.telstra.com> wrote: > Eric, > > > > This feels a bit like WebID <http://www.w3.org/2005/Incubator/webid/spec/>– except the client’s public key is used to verify a message they signed, > rather than a TLS tunnel they established. Both identify the client by a URI > that delivers a certificate. > > Your Cloud-to-On-Premise flow, WebID, and OpenID really need to use HTTPS > URIs as identities to be secure. However, your sample app<https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app>has an HTTP id > http://app-identity-java.appspot.com/certs. Was this an oversight, or > isn’t security of this system supposed to depend on how the app’s > self-signed short-lived (daily) certificate is obtained? > > > > -- > > James Manger > > > > *From:* woes-bounces@ietf.org [mailto:woes-bounces@ietf.org] *On Behalf Of > *Eric Sachs > *Sent:* Thursday, 7 April 2011 5:43 AM > *To:* woes@ietf.org > *Subject:* [woes] Native JWT support in Google App Engine > > > > Google has just added native support for JWT to Google App Engine. Here is > the documentation: > > > https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app > > Our hope is to work with other players in the cloud computing space to > improve some elements of cloud security by using PKI, JWT & OAuth2 for > interop between our systems. > > > > Based on past industry discussion, we wroteup a description of some of the > general interop use-cases: > > https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise > > https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud > > While this new feature in Google App Engine is a significant step for > Google, we realize there is more to do on our side such as adding support > for JWT assertions in our recently announced OAuth2 support for Google > APIs<http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html>. > However we would prefer to get feedback from this group on a standard > approach, including around key rotation/management. > > > > Eric Sachs > > Senior Product Manager, Internet Identity > > Google > > > > _______________________________________________ > woes mailing list > woes@ietf.org > https://www.ietf.org/mailman/listinfo/woes > > -- Jian