My highlights of the points raised on this thread are as follows: A Client needs to sign a request for the temporary credentials to: * Authenticate to the server * Provide means for ensuring that a request has not been modified
A Client needs to sign a request for the token credentials to: * Ensure that of all the legitimate Clients only the Client authorized by the Resource Owner can access the resource * Provide means for ensuring that a request has not been modified If a request is signed with the client's private key it can be used for providing non-repudiation; an alternative solution for non-repudiation would require involvement of a third party. There are use cases where non-repudiation is needed. TLS protects only a session, not the data that need to be re-used later. Unless the whole session has been recorded and its key has been stored, the TLS does not provide non-repudiation. It appears that there is a consensus in UMA community that signing should remain an option for enabling authentication and auditing. There are use cases for which performance of a TLS-based solution would be worse than that of the signature-based solution. The signatures are widely used for providing security over the insecure channels in today's implementations. There is a view that the signature-based method should remain an option for providing security over an insecure channel. Zachary -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter Saint-Andre Sent: Thursday, March 11, 2010 10:20 PM To: [email protected] Subject: Re: [OAUTH-WG] Signatures, Why? <hat type='chair'/> On 3/4/10 1:00 PM, Blaine Cook wrote: > One of the things that's been a primary focus of both today's WG call > and last week's call is what are the specific use cases for > signatures? > > - Why are signatures needed? > - What do signatures need to protect? > > Let's try to outline the use cases! Please reply here, so that we have > a good idea of what they are as we move towards the Anaheim WG. This was a valuable thread. Perhaps someone could write up a summary of the points raised, either on the list or at the wiki? Peter -- Peter Saint-Andre https://stpeter.im/
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
