SGTM -- I think the tradeoff is interoperable and simple hop-based integrity protection (assuming existing TLS libraries exist) vs. more complicated but full end to end integrity protection (and libraries need to be written).
On Tue, Mar 16, 2010 at 7:11 AM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi John, > > following your arguments, I could add "integrity protection of complete > HTTP requests in an interoperable way" the the "pro HTTPS" section? > > regards, > Torsten. > > Am 16.03.2010 07:22, schrieb John Panzer: > > I'm confused by one "pro" for signatures: > > "Protect integrity of whole request - authorization data and payload when > communicating over unsecure channel" > > I do not believe there is an existing concrete proposal that will protect > the whole request, unless you add additional restrictions on the request > types -- e.g., only HTTP GET or POST with form-encoded data variables only. > > If the assertion is that signatures will actually provide integrity for > arbitrary HTTP request bodies as well as the URL, authority, and HTTP > method: I would like to see at least one concrete proposal that will > accomplish this. IIRC there's only one that I think is possibly > implementable in an interoperable way, and it supports only JSON payloads. > In other words, anyone using body signing would need to wrap their data in > JSON to do it. (This is not necessarily the worst thing in the world, of > course, but it is something to be taken into account when listing pros and > cons.) > > On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt < > tors...@lodderstedt.net> wrote: > >> Hi all, >> >> I composed a detailed summary at >> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy. Please >> review it. >> >> @Zachary: I also added some of your recent notes. >> >> regards, >> Torsten. >> >> I volunteer to write it up. >> >> <hat type='chair'/> >> >> On 3/4/10 1:00 PM, Blaine Cook wrote: >> >> >> One of the things that's been a primary focus of both today's WG call >> and last week's call is what are the specific use cases for >> signatures? >> >> - Why are signatures needed? >> - What do signatures need to protect? >> >> Let's try to outline the use cases! Please reply here, so that we have >> a good idea of what they are as we move towards the Anaheim WG. >> >> >> This was a valuable thread. Perhaps someone could write up a summary of >> the points raised, either on the list or at the wiki? >> >> Peter >> >> >> >> >> _______________________________________________ >> OAuth mailing listoa...@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing listoa...@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
