On Mon, Jun 13, 2011 at 6:11 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: > A comment on the MAC draft [draft-ietf-oauth-v2-http-mac-00]: > > When MAC credentials are issued with a Set-Cookie response header [section > 6] the spec says to use the cookie’s name as the MAC key identifier (eg > “id=SID”). It would make more sense to use the cookie’s value (eg > “id=31d4d96e407aad42”).
That was the original plan, but cookie values tend to be longer than cookie names and it seemed silly to repeat the value twice in the request. (It's bad enough to repeat the name.) > I guess the intention is to include the cookie’s value in the Cookie header > so it in unnecessary to repeat it in the Authorization header. Yep. > Repeating the > cookie name should be less overhead as it will usually be quite short. Correct. > This is a bit hacky, too hacky. Wouldn’t it be better for a client that > recognizes a special MAC cookie to use it to construct Authorization headers > and omit it from Cookie headers? Nope. Sending the value in the Cookie header is important to help servers implement this scheme without breaking themselves. > A client that doesn’t understand the extra > MAC-Key cookie attribute will treat the cookie as a normal cookie to return > in a Cookie header. Indeed. > A “normal” MAC library would use the id field in a “Authorization: MAC” > header to lookup the secret key. You're welcome to use the protocol that way. Just encode that information into the cookie name. > A library for this spec will sometimes use > the id field to lookup the secret key, but also sometimes use the id field > to lookup a cookie then use that value to lookup the secret key. There is no > explicit sign about which approach to follow in any given instance. It > depends on how the MAC credentials were issued – which a protected resource > shouldn’t have to care about, and might not know. > > There have been suggestions that the MAC calculation could/should cover the > key id. In that situation it is even more crucial that the id field isn’t > just a name referring to the real value elsewhere – as then the security > changes based on the syntax used to issue the credentials. It's not a big deal either way in practice. Folks will be cross-checking the cookies with the Mac anyway. It's better to send things once rather than have duplication. Adam > [Section 6, and 6.1.3] > > Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=example.com; > > MAC-Key=8yfrufh348h; MAC-Algorithm=hmac-sha-1 > > …The cookie name "SID" is used as the MAC key identifier > > … > > MAC key identifier > > is equal to the operative-cookie's name, _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
