I will byte ;o) @all, I am thinking of developing a header integrity proposal - a header hash taking lead from Brian's body hash.
First, is there anybody attempting this ? I am sure Brian is not. Second, while I think this is inevitable - one form or another, I also do not want to rush in. My thought is to start simple and then add complexity as and when needed. I think we should have a selective header hash or if that turns out to be problematic, sign a list of prescriptive headers if that makes it easier. I will unearth old discussions on this topic and find common ground. Is this a good idea or better left alone ? Cheers <k/> |-----Original Message----- |From: [email protected] [mailto:oauth- |[email protected]] On Behalf Of Brian Eaton |Sent: Thursday, April 02, 2009 2:52 PM |To: [email protected] |Subject: [oauth-extensions] Re: last call for comments on body signing | | |I'm familiar with the dangers of content-sniffing, but in practice |they cause problems when serving content, not when receiving content. |I don't know of a single practical attack based on tampering with the |content type sent from the client. When I've asked for examples of |such attacks in the past, they've all boiled down to servers doing |things that are completely insecure no matter how many signatures you |add to the request. =) | |Somebody else can write the HTTP header integrity spec and code. The |same approach used for body hash would be easy to extend. | |On Thu, Apr 2, 2009 at 2:25 PM, Ben Adida <[email protected]> wrote: |> |> |> Hi Brian, |> |> I like the body hash extension quite a bit, especially the way it |> retrofits into the existing oAuth protocol. I also see that you said |> "no HTTP header integrity," but... I think this extension definitely |> needs to verify the content-type, given all of the security issues |> related to content-type-sniffing and the fact that it is relatively |> easy to find markup that masquerades as one content type but is then |> sniffed diferently and causes all sorts of security problems. |> |> See the soon-to-be-presented Oakland security paper: |> http://www.adambarth.com/papers/2009/barth-caballero-song.pdf |> |> So, I'm definitely not asking for full HTTP header integrity, but |> content-type seems to go hand-in-hand with body-signing... any chance |> that can be added as, say, oauth_content_type in the Authorization |> header + SBS? |> |> -Ben |> |> On Mar 23, 11:51 am, Brian Eaton <[email protected]> wrote: |>> Progress update: |>> |>> There is a new draft out, with clarifications based on feedback and |>> implementation experience: |>> |>> |http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.... |>> |>> There are pending shindig code reviews for the implementation: |>> |>> |http://codereview.appspot.com/27054/showhttp://codereview.appspot.com/28 |042/showhttp://codereview.appspot.com/28075/show |>> |>> Cheers, |>> Brian |>> |>> On Wed, Mar 18, 2009 at 9:26 AM, Brian Eaton <[email protected]> |wrote: |>> > Yes, we're pushing this to be an optional, backwards-compatible, |part |>> > of the OAuth specification. I've gotten good feedback from the |OAuth |>> > community so far. |>> |>> > The backwards compatible piece is pretty important; the idea is |that |>> > clients can opt-in to body signing without breaking existing |>> > compatibility with existing service providers. |>> |>> > On Tue, Mar 17, 2009 at 10:20 PM, Charlie Jiang <cji...@yahoo- |inc.com> wrote: |>> |>> >> Hi Brian, |>> |>> >> Sorry to be very late to comment on this. Are we suggesting to |push this |>> >> to be part of OAuth spec? If so, have we talked to them? |>> |>> >> -Charlie |>> |>> >> -----Original Message----- |>> >> From: [email protected] |>> >> [mailto:[email protected]] On Behalf Of |Brian |>> >> Eaton |>> >> Sent: Thursday, March 12, 2009 9:29 AM |>> >> To: [email protected]; [email protected]; |>> >> [email protected] |>> >> Subject: [opensocial-and-gadgets-spec] last call for comments on |body |>> >> signing |>> |>> >> Hi folks - |>> |>> >> I've neglected the body signing specification for a few months and |I'd |>> >> like to wrap it up. A fresh draft is here: |>> |>> |>>http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/3/spec.h |tm |>> >> l |>> |>> >> Changes: |>> >> - language cleaned up to be more precise |>> >> - more detailed example |>> |>> >> Things that have not changed: |>> >> - no, I'm not going to do anything about HTTP header integrity. | Write |>> >> another spec if you want that. |>> |>> >> I'm aiming to have a couple of reference implementations and a |final |>> >> spec by next Friday, March 20th. |>> |>> >> Cheers, |>> >> Brian |> |> > |> | | --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
