A comment on the MAC draft [draft-ietf-oauth-v2-http-mac-00]:
When MAC credentials are issued with a Set-Cookie response header [section 6]
the spec says to use the cookie's name as the MAC key identifier (eg "id=SID").
It would make more sense to use the cookie's value (eg "id=31d4d96e407aad42").
I guess the intention is to include the cookie's value in the Cookie header so
it in unnecessary to repeat it in the Authorization header. Repeating the
cookie name should be less overhead as it will usually be quite short. This is
a bit hacky, too hacky. Wouldn't it be better for a client that recognizes a
special MAC cookie to use it to construct Authorization headers and omit it
from Cookie headers? A client that doesn't understand the extra MAC-Key cookie
attribute will treat the cookie as a normal cookie to return in a Cookie header.
A "normal" MAC library would use the id field in a "Authorization: MAC" header
to lookup the secret key. A library for this spec will sometimes use the id
field to lookup the secret key, but also sometimes use the id field to lookup a
cookie then use that value to lookup the secret key. There is no explicit sign
about which approach to follow in any given instance. It depends on how the MAC
credentials were issued - which a protected resource shouldn't have to care
about, and might not know.
There have been suggestions that the MAC calculation could/should cover the key
id. In that situation it is even more crucial that the id field isn't just a
name referring to the real value elsewhere - as then the security changes based
on the syntax used to issue the credentials.
[Section 6, and 6.1.3]
Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=example.com;
MAC-Key=8yfrufh348h; MAC-Algorithm=hmac-sha-1
...The cookie name "SID" is used as the MAC key identifier
...
MAC key identifier
is equal to the operative-cookie's name,
--
James Manger
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
