On 2010-03-04, at 9:31 PM, Igor Faynberg wrote: > > > Dick Hardt wrote: >> On 2010-03-04, at 12:27 PM, Igor Faynberg wrote: >> ... >>>> - Why are signatures needed? >>>> >>> 1) For authentication >>> >>> 2) For ensuring integrity >>> >>> 3) For non-repudiation >>> >> >> Those are the general capabilities of signatures. "Why does the Client need >> to sign the request / token?" is the full question. >> > > Yes, these are the benefits of using signatures. As Brian has already > pointed, there have been cases on the record. I tried to summarize the > benefits in a short answer, but I don't mind elaborating. >> Which party are we worried about authenticating? > > The Client, of course. And it is not simply that we are authenticating the > Client, we a) authenticate the token and b) ensure that it has not been > modified. Say, a rogue Client through some sort of phishing pretends to the > end user to be legitimate in accessing the user's data and--to the server > (i.e., service provider) it pretends to be a legitimate partner. A lot of bad > things may happen. Yet, if the request for *temporary credentials* is denied > when the signature is verified and found wrong, nothing would proceed. Here, > only a legitimate client can even start a transaction.
What makes a client legitamate? In a rich application, all Client secrets can be discovered. > > And then, later the request for *token credentials* also needs to be signed > (and differently) to ensure that of all the legitimate Clients only the > Client authorized by the end user can access the record. > >> What are we trying to ensure the integrity of? > > The request, of course. Incidentally, this feature would come "for free" > anyway if the client signs the hash of the request and sends it along with > the request itself. (And throwing in a nonce into the hash would prevent > replay.) Throwing in a nonce also introduces a requirement to the PR to maintain state. ... So far, you are explaining security 101. If there is a secure channel between the Client and the PR, and the token is only accepted at one Client. What other advantages are there to the Client signing that you don't get from a bearer token? -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
