Enterprise Signing in OAuth

Session: Tuesday, Session 2, Space I

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Brian:  "I'm really happy with Oaut2, except for the signing...  Can we take section 5.3 of the spec and set it on fire?"

Problems seen:
 * HMAC covers the situation where people don't want to do SSL, but requires the whole ugly key management thing.  Brian proposes (with a long list of others interested) that we need public key signing.
 * The signing is not extensible, you can't add additional fields to the signature.  This seems to be a problem in the current spec.
 * New protocol substrates.
 * One signing choice doesn't seem enough.  Extensibility seems key here, can we do this with some form of discovery?

Proposed fixes:
 * Create a JSON blob we want signed.     -
 * an example...  does not require reconstruction of the string to be signed
 * BUT how do you verify the signed stuff is part of the request?
 * ALSO not great: duplication of data.
 * We need key versioning
 * Needs key discovery
 * Can use something liek https:// .appspot.com/.well-known/oauth or some such.
 * This might not work for folks that are white label, because there isn't a separate URL for all the entities that need to be discovered.
 * There is a google group for the OAuth Key Discovery spec.  See Brian's copy of the slides.
 * It's worthwhile to join the OAuth2 mailing list to comment on this.
 * This is a big discussion topic, I don't type that fast.
 * XKMS is again, good reference reading for this.

Discussion:
 * How does it work with firewalls -- in and out...
 * XMLDSIG is very similar to this, it would be worthwhile to learn from that.  Also CMS (Crypto Message Sig).
 * Does have the whole PKI problem.


 * Can we solve this with SSL?  SSL with client certs?  Maybe...
 * Much discussion here about how key excahnge and key management should work.


 * Comment -- If you want to sign arbitrary parts of an HTTP request then use SAML.  you don't really want to duplicate that here.
 * Need to make sure we get the key exchange right, if you try to put it in here people will get it wrong.
 * KeyID/key discovery.
 * comment: see XKMS for related reading.
 * keyID probably belongs in the envelope and not the payload (from his modified example.