W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: Duplicating request component in an HTTP authentication scheme

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 27 May 2010 16:48:25 -0700
Cc: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-Id: <95F751E0-7AB7-491A-AD10-BD12A471D91B@gbiv.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
On May 27, 2010, at 4:11 PM, Eran Hammer-Lahav wrote:

> The OAuth working group is debating how to make signed authenticated requests. The two main questions is what do sign, and what to sign it with. On the 'what to sign part' we know we want to sign the request URI, HTTP method, and host name (among other cryptographic attributes such as timestamp and nonce).
> OAuth 1.0 includes a normalization process taking the request and serializing it into a base string (which is then signed). For OAuth 2.0, we have two competing proposals:
> 1. Normalize the request and send just the signature
> 2. Normalize the request and send both the signature and the signed string
> The advantage of #2 is that is moves the complexity from the client to the server. It is up to the server to figure out if the signed blob matches the request itself. The issue is that by doing so, the HTTP request is duplicated (HTTP request and authentication blob). Server will be required to compare the request with the blob to make sure they match. In practice, servers can ignore the request and just respond to the blob because it's the authenticated copy.
> The ramification of #2 is that it moves the HTTP request bits to another layer, creating a sort of wrapper.

And a security hole that you can drive a truck through.  If you are
going to sign the routing bits, then you have to verify that the
route is the same in both the blob and the message so that the
blob is not being used to bypass route security (e.g., firewalls)
to access internal paths.

If the server doesn't check the actual message, then don't bother
to sign anything.  In other words, I say #1, or at least I would
if this were not heading down the exact same road as S-HTTP.

> However, this approach should make it easier for client developers (who proved themselves to be extremely incompetent with the 1.0 specification) to get signatures right. It also allows for signing arbitrary data in addition to the HTTP request.
> Thoughts?

The same client developers will have the same competence issues
with regard to any new spec.  Just make sure that the protocol
breaks visibly if anything is done wrong, and then they can fix
their own protocol stacks if they want to implement this signing.

Received on Thursday, 27 May 2010 23:48:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:53 UTC