[cap-talk] Please help us understand a protocol

Jed Donnelley capability at webstart.com
Wed Sep 26 03:19:53 EDT 2007 

At 07:48 PM 9/25/2007, Ben Laurie wrote:

>The point here is that the service provider can switch off a 
>malicious consumer.
>...
>OAuth does not specify how consumers register, so it is a bit of a
>leap to assume that any consumer can register. That is entirely up to
>the service provider.

Are you (they?) imagining some sort of rating system or other
means to distinguish between consumers?  Even if a "consumer"
proves malicious (whatever that might mean?  I don't see
how a consumer can do anything but use permissions granted -
except perhaps denial of service) how does a service provider
identify a new registration by the 'same' consumer?

They say in the spec: http://oauth.net/documentation/spec
_________
The Service Provider documentation explains how to
register for a Consumer Key and Consumer Secret.
_________

There is no prior communication assumed, so I don't see
how any one consumer is distinguished from any other.
Perhaps there is some ad hoc research of potential
consumers assumed?  That is, it may be assumed that
the registration of a consumer is a 'slow' (not
automated) process involving human research?

How this works is unclear to me (them, you?), so
I wanted to point out this issue in the documentation.

As far as I can tell there is no distinction made between
consumers (by service providers), though I suppose that
could be something else that is unspecified.

> > In this message I'll confine myself to just
> > trying to help others to understand the protocol.
> > We can leave any discussion of the value of the
> > protocol, how it relates to capabilities and
> > such for later messages.
>
>OK, but I would note that the fact that the consumer has to sign any
>requests they make with their secret means that the OAuth token is not
>a pure capability.

It is the "signed" token (actually just including a hash
of the consumer secret concatenated with the token secret
as I understand it) that seems to me like the capability
as data.  In their example this is what they include
at the end when they say:

"And if using query parameters:

http://photos.example.net/photos?file=vacation.jpg&size=original&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=nnch734d00sl2jdk&oauth_signature_method=HMAC-SHA1&oauth_signature=3a4df91bba14e81cde073c9070beec993e45a2d6&oauth_timestamp=1191242096&oauth_nonce=kllo9940pd9333jh

".  I don't see any suggestion that this request will only
work when issued from some source (e.g. by IP address).
I believe the consumer could send this string to any
other "consumer" (process on the network) and it would
work.  I don't see any handshaking required to have the
above URL processed.  If I've missed something there I'd
like to hear it explained.

> > Their blog:
> >
> > http://oauth.net/blog
> >
> > is amusing...
>
>I think that is an aggregator.

I was mostly referring to the ads and such.  E.g.
...  "For the love of God, use OAuth."
I certainly had no intent to be critical with
the above comment.  I think I can see how this
protocol makes sense from where they are approaching.

The main difficulty that I see is that every
delegation requires a user (person) authorization.
In my opinion this can't take cross site authorization
very far.  I guess that without accepting automated
communication of permissions (a capability by any
other name) then it's about as far as one can go.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list