What I like about Brian's solution (a lot) is that you can at least see what the heck the client thought it was doing. When you're inside of a framework, your URL may get all kinds of munched up but you can usually tell if an incoming one makes sense to you in your framework-specific validation code. IE, "check all my inputs and see if they're someplace on that client url". Brian's approach makes checking that the signature is valid a separate task from checking that the url is valid, and I like that separation. Yes, they are related from a security standpoint as has been discussed here (otherwise, what do you care what you're signing?), but I'm all for a security setup with a bit less voodoo than 1.0 had.
-- justin ________________________________________ From: [email protected] [[email protected]] On Behalf Of William Mills [[email protected]] Sent: Friday, May 28, 2010 12:21 PM To: Eran Hammer-Lahav; Brian Eaton; [email protected] Cc: [email protected] Subject: Re: [OAUTH-WG] FW: Duplicating request component in an HTTP authentication scheme I thought one of the fundamental ugly problems is that the client doesn't actually know the full URL authoritatively in all frameworks, because variables get appended to the query string in an unknown order in some cases? Solving that problem seems key. Oauth 1.0 had one solution, which it turns out people tend to get wrong. Brian's proposal solves it a different way with the problem that it makes for data duplication with those associated risks/problems. What other options do we have? > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Eran Hammer-Lahav > Sent: Thursday, May 27, 2010 8:04 PM > To: Brian Eaton; [email protected] > Cc: OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] FW: Duplicating request component in > an HTTP authentication scheme > > > > > -----Original Message----- > > From: Brian Eaton [mailto:[email protected]] > > Sent: Thursday, May 27, 2010 6:21 PM > > > OAuth 1.0 was unusual in that it required that the server > match a hash > > of the URL, rather than the real URL. It's an extra layer of > > indirection and complexity. It doesn't improve security. > > The current draft signs the real URL. > > EHL > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
