Enterprise Signing in OAUTH2

Tuesday – Session 2 - I

Convener: Brian Eaton

Notes-taker(s): William Mills

A.	Tags for the session - technology discussed/ideas considered:

B.	Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Brian: "I'm really happy with Oaut2, except for the signing...  Can we take section 5.3 of the spec and set it on fire?"

Problems seeen: -   HMAC covers the situation where people don't want to do SSL, but requires the whole ugly key management thing. Brina proposes (with a long list of others interested) that we need public key signing.

-   The signing is not extensible, you can't add additional fields to the signature. This seems to be a problem in the current spec.

-   New protocol substrates.

-   One signing choice doesn't seem enough. Extensibility seems key here, can we do this with some form of discovery?

Proposed fixes:

-   Create a JSON blob we want signed. -   an example... does not require reconstruction of the string to be signed -   BUT how do you verify the signed stuff is part of the request? -   ALSO not great: duplication of data. -   We need key versioning -   Needs key discovery -   Can use something liek https:// .appspot.com/.well-known/oauth or some such. -   This might not work for folks that are white label, because there isn't a separate URL for all the entities that need to be discovered. -   There is a google group for the OAuth Key Discovery spec. See Brian's copy of the slides. -   It's worthwhile to join the OAuth2 mailing list to comment on this. -   This is a big discussion topic, I don't type that fast. -   XKMS is again, good reference reading for this.

Discussion: -   How does it work with firewalls -- in and out... -   XMLDSIG is very similar to this, it would be worthwhile to learn from that. Also CMS (Crypto Message Sig). -   Does have the whole PKI problem. -   Can we solve this with SSL? SSL with client certs? Maybe...   -    MUch discussion here about how key excahnge and key management should work. -   Comment -- If you want to sign arbitrary parts of an HTTP request then use SAML. you don't really want to duplicate that here. -   Need to make sure we get the key exchange right, if you try to put it in here people will get it wrong. -   KeyID/key discovery. -   comment: see XKMS for related reading. -   keyID probably belongs in the envelope and not the payload (from his modified example.