From bburke at redhat.com Thu Feb 10 14:38:44 2011 From: bburke at redhat.com (Bill Burke) Date: Thu, 10 Feb 2011 09:38:44 -0500 Subject: [rest-practices] proposed digital signature api Message-ID: <4D53F874.4070404@redhat.com> FYI: http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/ If anybody has any feedback, it would be much welcomed. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bkearney at redhat.com Thu Feb 10 14:57:29 2011 From: bkearney at redhat.com (Bryan Kearney) Date: Thu, 10 Feb 2011 09:57:29 -0500 Subject: [rest-practices] proposed digital signature api In-Reply-To: <4D53F874.4070404@redhat.com> References: <4D53F874.4070404@redhat.com> Message-ID: <4D53FCD9.5070609@redhat.com> On 02/10/2011 09:38 AM, Bill Burke wrote: > FYI: > > http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/ > > > If anybody has any feedback, it would be much welcomed. > Posted on the blog as well: As you mention, this feels alot like two-legged OAuth. Two legged OAuth gives you the signature plus the noonce which can protect you from replay attacks. So, my first thought would be to incorporate two legged OAuth. Barring that, it appears as if you are not signing query parameters? If I am looking for this as a means to do trust between two systems I would think I would want to get at least the url or query parameters in the signature. -- bk From bburke at redhat.com Thu Feb 10 15:01:16 2011 From: bburke at redhat.com (Bill Burke) Date: Thu, 10 Feb 2011 10:01:16 -0500 Subject: [rest-practices] proposed digital signature api In-Reply-To: <4D53FCD9.5070609@redhat.com> References: <4D53F874.4070404@redhat.com> <4D53FCD9.5070609@redhat.com> Message-ID: <4D53FDBC.70903@redhat.com> On 2/10/11 9:57 AM, Bryan Kearney wrote: > On 02/10/2011 09:38 AM, Bill Burke wrote: >> FYI: >> >> http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/ >> >> >> >> If anybody has any feedback, it would be much welcomed. >> > Posted on the blog as well: > > As you mention, this feels alot like two-legged OAuth. Two legged OAuth > gives you the signature plus the noonce which can protect you from > replay attacks. > > So, my first thought would be to incorporate two legged OAuth. Barring > that, it appears as if you are not signing query parameters? If I am > looking for this as a means to do trust between two systems I would > think I would want to get at least the url or query parameters in the > signature. > I kinda wanted this to be orthogonal to the authentication mechanism, so that users can use traditional authentication while supporting signatures. And also allow clients/servers to ignore signatures if they so desire. It didn't seem like this was really part of OAuth and more a part of the overlying whole OAuth authentication protocol. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bkearney at redhat.com Thu Feb 10 15:26:15 2011 From: bkearney at redhat.com (Bryan Kearney) Date: Thu, 10 Feb 2011 10:26:15 -0500 Subject: [rest-practices] proposed digital signature api In-Reply-To: <4D53FDBC.70903@redhat.com> References: <4D53F874.4070404@redhat.com> <4D53FCD9.5070609@redhat.com> <4D53FDBC.70903@redhat.com> Message-ID: <4D540397.8000408@redhat.com> On 02/10/2011 10:01 AM, Bill Burke wrote: > > > On 2/10/11 9:57 AM, Bryan Kearney wrote: >> On 02/10/2011 09:38 AM, Bill Burke wrote: >>> FYI: >>> >>> http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/ >>> >>> >>> >>> >>> If anybody has any feedback, it would be much welcomed. >>> >> Posted on the blog as well: >> >> As you mention, this feels alot like two-legged OAuth. Two legged OAuth >> gives you the signature plus the noonce which can protect you from >> replay attacks. >> >> So, my first thought would be to incorporate two legged OAuth. Barring >> that, it appears as if you are not signing query parameters? If I am >> looking for this as a means to do trust between two systems I would >> think I would want to get at least the url or query parameters in the >> signature. >> > > I kinda wanted this to be orthogonal to the authentication mechanism, so > that users can use traditional authentication while supporting > signatures. And also allow clients/servers to ignore signatures if they > so desire. It didn't seem like this was really part of OAuth and more a > part of the overlying whole OAuth authentication protocol. > > Two legged takes the auth out of it.. it is really more of a trusted system approach. The systtems share a secret, and then messages and headers are signed using that secret. With the nonce and timestamp, you are protected from most replay attacks as well as trust. -- bk