IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 09 November 2009 07:48 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75C1528C1D7 for <oauth@core3.amsl.com>; Sun, 8 Nov 2009 23:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iS5CoJ+Et4eg for <oauth@core3.amsl.com>; Sun, 8 Nov 2009 23:48:04 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A6D3228C1C9 for <oauth@ietf.org>; Sun, 8 Nov 2009 23:48:04 -0800 (PST)
Received: (qmail 16571 invoked from network); 9 Nov 2009 07:48:30 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 9 Nov 2009 07:48:30 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Nov 2009 00:48:30 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 09 Nov 2009 00:48:32 -0700
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: Acpg+kQvCTQb8M3SQv6QKARAJi9ojgAFbVVg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
In-Reply-To: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 07:48:05 -0000

The problem is, we are not likely to ever reach consensus on 'reasonable security'.

For example, I don't find most cookie-based session systems reasonably secure without SSL/TLS. Being able to sit at a coffee shop with free wifi and a laptop and steal sessions cookies, then access people's email for the duration the cookie is valid isn't reasonable or secure.

If you would like to try this approach, I would suggest adding next to each option the list of common attacks still possible under those terms. It will allow us to evaluate the added security each level of complexity brings.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Brian Eaton
> Sent: Sunday, November 08, 2009 9:03 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] why are we signing?
> 
> Hey folks -
> 
> What are the use cases for cryptography in OAuth?  Why are we signing
> requests?  And how much of each request do we need to sign in order to
> be useful?
> 
> As I see it, we have roughly the following menu of choices:
> 
> 1) No signatures.
>     Just use bearer tokens.  Use transport layer encryption to keep
> those bearer tokens from leaking.
> 
> 2) Signed tokens.
>     We could just sign a timestamp, rather than entire messages.
> 
> 3) Partially signed messages.
>     We could sign just the request URL, or the request URL plus some
> parameters.
> 
> 4) Fully signed messages.
>      Sign as much of the HTTP request as possible, down to the bits of
> the HTTP entity body.
> 
> My guess is we need at least two out of those four choices (one with
> bearer tokens, a la OAuth 1.0 plaintext) and another with
> cryptography.  But I'm not sure whether we need to sign entire
> messages, or if we can get away with something simpler and still have
> reasonable security.
> 
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email