Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

Wed, 27 Feb 2013 01:19:03 -0800 

And also...

How would the server mandate a set of header fields requiring signature?  How 
can the server mandate a signature method or do we just stay with the two 
options and allow either?  It might want to enforce SA-256?

-bill


________________________________
 From: William Mills <[email protected]>
To: "[email protected]" <[email protected]>; Hannes Tschofenig 
<[email protected]> 
Sent: Wednesday, February 27, 2013 1:12 AM
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
 

Just read the draft quickly.  

Since we're now leaning on JWT do we need to include the token in this?  Why 
not just make an additional "Envelope MAC" thing and have the signature include 
the 3 JWT parts in the signature base string?  That object then just becomes a 
JSON container for the kid, timestamp, signature method, signature etc. That 
thing then is a 4th base64 encoded JSON thing in the auth header.

How header fields get included in the signature needs definition.

Why did you kill the port number, nonce, and extension parameter out of the 
signature base string?

The BNF appears to have no separators between values.

-bill



________________________________
 From: "[email protected]" <[email protected]>
To: [email protected] 
Cc: [email protected] 
Sent: Monday, February 25, 2013 4:46 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt
 

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of 
the IETF.

    Title           : OAuth 2.0 Message Authentication Code (MAC) Tokens
    Author(s)       : Justin Richer
                          William Mills
                          Hannes Tschofenig
    Filename        : draft-ietf-oauth-v2-http-mac-03.txt
    Pages           : 26
    Date            : 2013-02-25

Abstract:
   This specification describes how to use MAC Tokens in HTTP requests
   to access OAuth 2.0 protected
 resources.  An OAuth client willing to
   access a protected resource needs to demonstrate possession of a
   crytographic key by using it with a keyed message digest function to
   the request.

   The document also defines a key distribution protocol for obtaining a
   fresh session key.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-03

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-http-mac-03


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to