Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Justin Richer Wed, 08 Aug 2012 14:01:10 -0700

I believe that there's value in per-message signing completely apartfrom the channel level encryption. MAC tokens let us do this with aper-token secret using a pattern very well established in OAuth1. I'msorry that I wasn't at the Vancouver meeting to voice this opinion, forwhat it's worth.


 -- Justin


On 08/08/2012 12:24 PM, Hannes Tschofenig wrote:

Hi Justas,

thanks for sending your feedback to the list.

There is indeed currently no editor for the document. That is, however, not the 
problem.
The problem, as discussed on the list and also at the last IETF meeting, is 
that we do not yet know what type of security properties we want. The MAC draft 
may or may not provide the type of protection we want.

For that reason we first have to figure out what problem we want to solve 
before we jump into the details of fixing some minor errors.

Ciao
Hannes

On Aug 8, 2012, at 6:08 PM, Justin Richer wrote:

Thanks Justas. The MAC document is currently without an editor within the WG, 
so this is the best place to record the error.

A wider note to the WG: I wouldn't mind taking over editorship of the MAC token 
document so long as I could get a co-editor with enough cryptographic expertise 
to make sure all the magical crypto bits work like they should. I've sent an 
email to the chairs saying as much, as well.

-- Justin

On 08/05/2012 06:30 AM, Justas Janauskas wrote:

Hello,

Sorry if this is not the right group to send this message; I am new here.

I believe there is mistake in calculated request MAC presented in
"draft-ietf-oauth-v2-http-mac-01" example, section 1.1.

I made a small program to test correctness of an example and it shows
that it is incorrectly calculated in the document:
https://gist.github.com/3263677

I have also implemented an example from previous draft 00, section 1.2
which shows that request MAC is calculated correctly there:
https://gist.github.com/3263765

Thank you,
Justas Janauskas
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01

Reply via email to