I haven't seen much feedback so I assume this is almost ready for LC. I
will apply the suggestions below and will request a WGLC for -02.
EH
On 2/8/12 10:51 PM, "Manger, James H" <james.h.man...@team.telstra.com>
wrote:
>Eran, a couple of comments on the new MAC spec:
>
>The example (§1.1) does not seem to be correct. That is, I calculate
>mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value.
>
>The example in §3.2.1 has a typo. It says "using timestamp
>"264095:7d8f3e4a"", but should say "using timestamp "264095"".
>
>Timestamp verification (§4.1) is described as preventing replay attacks.
>However, the 3 dot points that server MUST do only ensure that requests
>(other than the first) are approximately fresh (assuming the first was
>fresh). Of course, it is fairly obvious that the service can keep a copy
>of {ts,nonce,id} tuples (while the ts is still approximately fresh) to
>detect replays.
>
>When the ts field is defined (§3.1) it is probably worth mentioning that
>the fixed point in time (epoch) chosen to calculate ts MUST remain the
>same for the lifetime of the key. That is, a client app cannot pick a new
>epoch each time it starts if it is using the same key across restarts.
>
>Personally, I would almost prefer it to say: ts is seconds since 1970
>were possible; clients without a real-time clock can choose an arbitrary
>epoch, but it must remain the same for the lifetime of the key; servers
>SHOULD NOT assume client clocks are well synchronized to their own. It is
>RECOMMENDED that a server assumes the 1st request with a given key is
>fresh, and use the ts value in that request to determine the offset
>between the client & servers clocks. That offset (assumed to remain
>constant) can be used to determine if subsequent requests are fresh.
>
>--
>James Manger
>
>-----Original Message-----
>From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
>Eran Hammer
>Sent: Thursday, 9 February 2012 4:55 AM
>To: oauth@ietf.org
>Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>
>Main changes:
>
>Removed cookies support
>Removed body hash
>Clarified timestamp verification
>
>I still have more comments to process but wanted to get a new draft out
>first as the current one expired.
>
>Please review the new timestamp prose and let me know what you think. I'm
>trying to allow the client to use any timestamp it can easily produce,
>and move the verification logic to the server as much as possible.
>
>EH
>
>> -----Original Message-----
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of internet-dra...@ietf.org
>> Sent: Wednesday, February 08, 2012 9:52 AM
>> To: i-d-annou...@ietf.org
>> Cc: oauth@ietf.org
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>>directories.
>> This draft is a work item of the Web Authorization Protocol Working
>>Group of
>> the IETF.
>>
>> Title : HTTP Authentication: MAC Access Authentication
>> Author(s) : Eran Hammer-Lahav
>> Filename : draft-ietf-oauth-v2-http-mac-01.txt
>> Pages : 20
>> Date : 2012-02-08
>>
>> This document specifies the HTTP MAC access authentication scheme, an
>> HTTP authentication method using a message authentication code (MAC)
>> algorithm to provide cryptographic verification of portions of HTTP
>> requests. The document also defines an OAuth 2.0 binding for use as
>> an access-token type.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-http-mac-01.txt
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
