I haven't seen much feedback so I assume this is almost ready for LC. I will apply the suggestions below and will request a WGLC for -02.
EH On 2/8/12 10:51 PM, "Manger, James H" <james.h.man...@team.telstra.com> wrote: >Eran, a couple of comments on the new MAC spec: > >The example (§1.1) does not seem to be correct. That is, I calculate >mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value. > >The example in §3.2.1 has a typo. It says "using timestamp >"264095:7d8f3e4a"", but should say "using timestamp "264095"". > >Timestamp verification (§4.1) is described as preventing replay attacks. >However, the 3 dot points that server MUST do only ensure that requests >(other than the first) are approximately fresh (assuming the first was >fresh). Of course, it is fairly obvious that the service can keep a copy >of {ts,nonce,id} tuples (while the ts is still approximately fresh) to >detect replays. > >When the ts field is defined (§3.1) it is probably worth mentioning that >the fixed point in time (epoch) chosen to calculate ts MUST remain the >same for the lifetime of the key. That is, a client app cannot pick a new >epoch each time it starts if it is using the same key across restarts. > >Personally, I would almost prefer it to say: ts is seconds since 1970 >were possible; clients without a real-time clock can choose an arbitrary >epoch, but it must remain the same for the lifetime of the key; servers >SHOULD NOT assume client clocks are well synchronized to their own. It is >RECOMMENDED that a server assumes the 1st request with a given key is >fresh, and use the ts value in that request to determine the offset >between the client & servers clocks. That offset (assumed to remain >constant) can be used to determine if subsequent requests are fresh. > >-- >James Manger > >-----Original Message----- >From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >Eran Hammer >Sent: Thursday, 9 February 2012 4:55 AM >To: oauth@ietf.org >Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt > >Main changes: > >Removed cookies support >Removed body hash >Clarified timestamp verification > >I still have more comments to process but wanted to get a new draft out >first as the current one expired. > >Please review the new timestamp prose and let me know what you think. I'm >trying to allow the client to use any timestamp it can easily produce, >and move the verification logic to the server as much as possible. > >EH > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of internet-dra...@ietf.org >> Sent: Wednesday, February 08, 2012 9:52 AM >> To: i-d-annou...@ietf.org >> Cc: oauth@ietf.org >> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >>directories. >> This draft is a work item of the Web Authorization Protocol Working >>Group of >> the IETF. >> >> Title : HTTP Authentication: MAC Access Authentication >> Author(s) : Eran Hammer-Lahav >> Filename : draft-ietf-oauth-v2-http-mac-01.txt >> Pages : 20 >> Date : 2012-02-08 >> >> This document specifies the HTTP MAC access authentication scheme, an >> HTTP authentication method using a message authentication code (MAC) >> algorithm to provide cryptographic verification of portions of HTTP >> requests. The document also defines an OAuth 2.0 binding for use as >> an access-token type. >> >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-http-mac-01.txt _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth