Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures

Mon, 12 May 2014 11:03:26 -0700 

Hi Phil,
Hi Blair,

this is a good point. I also don't see a reason why the HTTP protocol
version should be included in the keyed message digest (from a security
point of view).

It might, however, be worthwhile to point out that we are exploring
different solution directions, as described in this slide deck
http://www.tschofenig.priv.at/oauth/IETF-OAuth-PoP.pptx

For this reason it might be interesting to know what AWS implements. Do
you guys have a reference?

Ciao
Hannes


On 05/09/2014 05:47 AM, Phil Hunt wrote:
> Fyi
> 
> Phil
> 
> Begin forwarded message:
> 
>> *From:* Blair Strang <[email protected]
>> <mailto:[email protected]>>
>> *Date:* May 8, 2014 at 18:47:58 PDT
>> *Resent-To:* [email protected]
>> <mailto:[email protected]>, [email protected]
>> <mailto:[email protected]>, [email protected]
>> <mailto:[email protected]>, [email protected]
>> <mailto:[email protected]>
>> *To:* [email protected]
>> <mailto:[email protected]>
>> *Subject:* *HTTP protocol version in MAC signatures*
>>
>> Hi,
>>
>> [Not sure if this is the right address to submit this feedback to]
>>
>> Looking
>> over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 section 5.2.
>> "MAC Input String", it seems that the HTTP request line is used
>> verbatim during the construction of MAC tokens.
>>
>> Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it
>> seems that HTTP proxies which run different protocol versions on each
>> leg will break signatures. 
>>
>> I would recommend removing the HTTP version from the MAC. The
>> transport is inherently a "per hop" type of thing, while request
>> signatures are conceptually "end to end".
>>
>> I am not aware of any specific security benefits derived from
>> including the HTTP protocol version in the MAC input string. This may
>> be why AWS version 2 and AWS version 4 signatures do not include it.
>>
>> Thanks and regards,
>>
>>     Blair.
>>
> 
> 
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to