Re: [OAUTH-WG] Signatures, Why?

Thu, 04 Mar 2010 21:31:21 -0800 


Dick Hardt wrote:

On 2010-03-04, at 12:27 PM, Igor Faynberg wrote:
...

- Why are signatures needed?

 
      

1) For authentication

2) For ensuring integrity

3) For non-repudiation

    


Those are the general capabilities of signatures. "Why does the Client need to sign 
the request / token?" is the full question.

  



Yes, these are the benefits of using signatures. As Brian has already 
pointed, there have been cases on the record. I tried to summarize the 
benefits in a short answer, but I don't mind elaborating.

Which party are we worried about authenticating? 
  



The Client, of course. And it is not simply that we are authenticating 
the Client, we a) authenticate the token and b) ensure that it has not 
been modified. Say, a rogue Client through some sort of phishing 
pretends to the end user to be legitimate in accessing the user's data 
and--to the server (i.e., service provider) it pretends to be a 
legitimate partner. A lot of bad things may happen. Yet, if the request 
for *temporary credentials* is denied when the signature is  verified 
and found wrong, nothing would proceed. Here, only a legitimate client 
can even start a transaction.



And then, later the request for *token credentials* also needs to be 
signed (and differently) to ensure   that of all the legitimate Clients 
only the Client authorized by the end user can access the record.



What are we trying to ensure the integrity of?


The request, of course. Incidentally, this feature would come "for free" anyway 
if the client signs the hash of the request and sends it along with the request itself. 
(And throwing in a nonce into the hash would prevent replay.)


 What statement is requires non-repudiation?

The mere transaction request, as far as I am concerned. If the Client later 
claims that no such request had been made, the Server will show the signed 
request. (Of course, here the best way to effect this is to use the private key 
for signature; otherwise a solution may become hairy--requiring a third party.)

Igor
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to