Isn't oauth_signature reinventing the SSL wheel?

Question

While using the twitter API, I came across the oauth_signature which is basically a hash of the (request body + request parameters + nonces/timestamps + a consumer_secret). The consumer_secret is known only to the application that is sending the request.

In Twitter's case:

• all communication MUST happen over SSL.
• twitter issues the consumer_secret to each authorized application.

Since the primary use of the oauth_signature is to prevent MITMs (i.e. no tits (tampering in transit) :), it seems to me that this particular use case could be solved via Mutual SSL

• Twitter, instead of issuing the consumer_secret, can issue SSL certificates for each application.

While this idea of client ssl-certificates might seem like 1990s internet arcana, it was not successful largely because of the trouble in verifying the chain of trust for client certificates. That problem does not arise here because twitter would be the sole issuer AND verifier of the certificates. The drawback would be much more involved effort on Twitter's behalf to produce the initial application/client ssl certificates, but the payoff would be in the simplicity of the REST API, which can rest on the guarantee that the client is who he says he is.

Note that twitter is just an example in this case. AFAIK, most other oauth implementors use a similar strategy, and the points here apply to any large scale OAuth implementor that already mandates SSL.

What am I missing here? Internet Inertia?

Answer 1

Mutual SSL certs, while a good idea, don't exactly solve the problem that OAuth is trying to solve. OAuth has two sets of tokens. One for the application (which could be replaced by the SSL certs), but also for the specific user. The SSL certs don't help when you are trying to determine if this authorized application is allowed to access this specific user.