On Sun, Mar 7, 2010 at 9:24 AM, Ethan Jewett <esjew...@gmail.com> wrote: > Before I get started, let me say that this should be taken with a very > large grain of salt. I am not a technical expert in these areas. I've > only done a fair amount of reading and following along with standards > efforts. Conclusions here should be questioned thoroughly and > corrected as necessary, but since no one else seems to be willing to > systematically look into the performance argument for signatures vs. > SSL/TLS, I thought I'd just sit down for a couple of hours and pound > it out. The following is the result of that work.
<snip> A couple of quick notes on this. 1) Amortized analysis is really important when you are looking at https connection overhead. The first document you reference seems to assume that each SSL session is used for exactly one HTTP request. That's not the common case, though it certainly can happen in real world environments. Overhead from https is highly dependent on deployment scenarios, with real world costs ranging from "free" to "ridiculously expensive", depending on the details of the clients and servers and usage patterns. 2) Your analysis of the overhead of OAuth 1.0a signing assumes that HMAC is used rather than RSA. You get very different numbers for RSA. 3) Security arguments for "signing" in OAuth can be fairly subtle. Different people are using signing in different ways for different reasons, with corresponding different requirements in terms of key distribution and use of transport layer encryption. 4) I think "from a security perspective, signing appears to be at least as good in all respects as bearer tokens sent in the clear" overstates the case. It depends on the bearer token, the signature scheme, and the security goals. Check out the security considerations of the digest auth spec (RFC 2617) for some of the trade-offs here. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
