Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

> -Original Message- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Monday, February 07, 2011 9:25 AM > To: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On body-hash... > > Having completed a tri

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

> -Original Message- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Thursday, January 27, 2011 3:52 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > This is excellent. Thanks for pulling together

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Tuesday, February 08, 2011 12:57 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > > This authenticatio

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > This authentication method comes with well understood security properties. By > making query parameters optional because of developer ease, providers will be > giving up an important part of the protection this protocol offers. This is > esp

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

uth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > Here's a thought: > > signed_content="request,query,body" > > If not included, it defaults to "request,query". It's non-breaking (except for > the implied removal

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

>> -Original Message- >> From: Skylar Woodward [mailto:sky...@kiva.org] >> Sent: Monday, February 07, 2011 9:25 AM >> To: Eran Hammer-Lahav; OAuth WG >> Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 >> >> On body-hash... >>

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

Hi Skylar, > -Original Message- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Monday, February 07, 2011 9:25 AM > On including parameters for signing... > > I'd retract my suggestion that we'd include parameter-hash in the header. > Instead, I would suggest making parameters

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

an Hammer-Lahav Sent: Friday, January 21, 2011 5:10 PM To: OAuth WG Subject: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 New version includes the following changes: o Added body-hash support. o Updated OAuth 2.0 reference

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

EHL > -Original Message- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Monday, February 07, 2011 9:25 AM > To: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On body-hash... > > Having completed a trial implem

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

On body-hash... Having completed a trial implementation, it seems redundant, and potentially problematic, to include the body-hash in the Authentication header. The danger is that implementors may neglect to recalculate the hash themselves, reusing the value (even if incorrect) provided by the

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

A couple of editorial notes: 3.2 has a mismatch of parameters between the example and the text (eg, "using access token j92fsdjf094gjfdi,..." where h480djs93hd8 from 1.1 is used in the example). The timestamp and nonce are also mismatched, though bodyhash seems correct. As a result, the signatu

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

.@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Friday, January 21, 2011 5:10 PM To: OAuth WG Subject: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 New version includes the following changes: o Added body-ha

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

t the newlines should be there. -bill From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Friday, January 21, 2011 5:10 PM To: OAuth WG Subject: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

This is excellent. Thanks for pulling together a signature-based token spec. Some feedback: - As I think was mentioned in a previous post, this spec is also attractive as method for asserting client credentials (eg, for access token requests). Your point is noted on substituting "client_id" as

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

The tools are slow. Just try again. EHL > -Original Message- > From: michael.d.ad...@gmail.com [mailto:michael.d.ad...@gmail.com] > On Behalf Of Michael D Adams > Sent: Friday, January 21, 2011 5:36 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

On Fri, Jan 21, 2011 at 5:09 PM, Eran Hammer-Lahav wrote: > http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 That link redirects me to -01 $ curl -I 'http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02' HTTP/1.1 302 Found Date: Sat, 22 Jan 2011 01:35:45 GMT Server: Apache/

[OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 New version includes the following changes: o Added body-hash support. o Updated OAuth 2.0 reference to -12 and added token type registration template. o Removed error and error URI attributes (codes were just a duplicatio