+1
Igor
Richer, Justin P. wrote:
What I like about Brian's solution (a lot) is that you can at least see what the heck the client thought it was doing. When you're inside of a framework, your URL may get all kinds of munched up but you can usually tell if an incoming one makes sense to you in your framework-specific validation code. IE, "check all my inputs and see if they're someplace on that client url". Brian's approach makes checking that the signature is valid a separate task from checking that the url is valid, and I like that separation. Yes, they are related from a security standpoint as has been discussed here (otherwise, what do you care what you're signing?), but I'm all for a security setup with a bit less voodoo than 1.0 had.
-- justin
________________________________________
From: [email protected] [[email protected]] On Behalf Of William
Mills [[email protected]]
Sent: Friday, May 28, 2010 12:21 PM
To: Eran Hammer-Lahav; Brian Eaton; [email protected]
Cc: [email protected]
Subject: Re: [OAUTH-WG] FW: Duplicating request component in an HTTP
authentication scheme
I thought one of the fundamental ugly problems is that the client
doesn't actually know the full URL authoritatively in all frameworks,
because variables get appended to the query string in an unknown order
in some cases?
Solving that problem seems key. Oauth 1.0 had one solution, which it
turns out people tend to get wrong. Brian's proposal solves it a
different way with the problem that it makes for data duplication with
those associated risks/problems.
What other options do we have?
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Eran Hammer-Lahav
Sent: Thursday, May 27, 2010 8:04 PM
To: Brian Eaton; [email protected]
Cc: OAuth WG ([email protected])
Subject: Re: [OAUTH-WG] FW: Duplicating request component in
an HTTP authentication scheme
-----Original Message-----
From: Brian Eaton [mailto:[email protected]]
Sent: Thursday, May 27, 2010 6:21 PM
OAuth 1.0 was unusual in that it required that the server
match a hash
of the URL, rather than the real URL. It's an extra layer of
indirection and complexity. It doesn't improve security.
The current draft signs the real URL.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
