Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
William Mills <wmills@yahoo-inc.com> Mon, 16 April 2012 15:32 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3437D21F8597 for <apps-discuss@ietfa.amsl.com>; Mon, 16 Apr 2012 08:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.014
X-Spam-Level:
X-Spam-Status: No, score=-16.014 tagged_above=-999 required=5 tests=[AWL=-0.590, BAYES_20=-0.74, HTML_MESSAGE=0.001, SARE_MILLIONSOF=0.315, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHIB732ap+3K for <apps-discuss@ietfa.amsl.com>; Mon, 16 Apr 2012 08:32:10 -0700 (PDT)
Received: from nm9-vm4.bullet.mail.ne1.yahoo.com (nm9-vm4.bullet.mail.ne1.yahoo.com [98.138.91.169]) by ietfa.amsl.com (Postfix) with SMTP id 2349921F8593 for <apps-discuss@ietf.org>; Mon, 16 Apr 2012 08:32:10 -0700 (PDT)
Received: from [98.138.90.57] by nm9.bullet.mail.ne1.yahoo.com with NNFMP; 16 Apr 2012 15:32:06 -0000
Received: from [98.138.86.157] by tm10.bullet.mail.ne1.yahoo.com with NNFMP; 16 Apr 2012 15:32:06 -0000
Received: from [127.0.0.1] by omp1015.mail.ne1.yahoo.com with NNFMP; 16 Apr 2012 15:32:06 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 904104.48565.bm@omp1015.mail.ne1.yahoo.com
Received: (qmail 46384 invoked by uid 60001); 16 Apr 2012 15:32:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1334590326; bh=vrcVo1q82i0d/p6Igm9Enf6vp1WcwXV8JRO1HBIM5j8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=TlLZ7yRaA8HGn3iTtDSphOvipxBjVTgq8PRk3KfXyzwFcWemVEz5Wg6xtN76fr20JOmGdLDFHQCEbn3nCpancyW+Lq6c8ayjoI5niyde1iI4nLsWGCfcDOxNIP+ufZ+7HOvzlOe+leMxePCTOpLIX5KasPECyBx1W+0ibZx7n7o=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=AraP9SoX6OCvtQkO9TnCc4+OIJWokcPNzM9/u8vTKv20MQ772Txt0kfRrFPv1txzDkmI+TQ7LXY9T0ZkC2U4xt41DJjO0pmasarS/h5eeREaI1u7FPFbHtFenad0T54E6uLruOcFknZxFcfHxF6TarPxx3Qg819PfchQxUWowOc=;
X-YMail-OSG: Au8D49YVM1kcMGlFevCZqg_jTmmp6lpAAQ4qJ5zKRKIe2nU 6afRw_jfTkbNo1t4lUTJQeGj4T6QnwN4M855ulAsRgoxsI43gg.0r2wfhXtj LTlTyOt7nLrizIpZeNVSDLDMchRZoQOn84ryr7q.jSC2Rb6TOS8lNX1.m.su XTvOD_23Fb1oRt60Ld4zdjjWWLYVgde.iGypB6GotlahL5t1DXaZdvckICZP ev6YU9PKNRkJ4Qa2Ck4XcdkkGj.E9ppzlilVW7xGg9MhnAnXin0Fh1AnoWDC n6EThPGjC.wPAFq4vP0jlYnyP_eVQT16yPb6rgXa97d2rDPL401D91WO_Ilc PEHpykUGEOntaCB0Hhb4Wb0nbEySri_6WzQB51XU74NUPwupOhxm68GcxOkO VsPepWT40qkH5MNS0tf1MO13wT3On_zbUcPitxHmYgZkoPhrfl.nl9GeYIk1 o7UBkCDKfwpdN369Nr9AvYejt
Received: from [99.31.212.42] by web31807.mail.mud.yahoo.com via HTTP; Mon, 16 Apr 2012 08:32:06 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.118.349524
References: <4F866AC0.3000603@qualcomm.com> <01OE8FW1U53G00ZUIL@mauve.mrochek.com> <82462DAA-5118-4108-AA5C-FBEBBC563D4E@mnot.net> <01OE921YMRSW00ZUIL@mauve.mrochek.com> <4F8898A9.8020806@cs.tcd.ie> <CAHBU6it6vxo=B85Q7fpzsVY97QD8jtbEs-pxvWHP-81zv8Ov4g@mail.gmail.com> <sjmpqb73foo.fsf@mocana.ihtfp.org>
Message-ID: <1334590326.6719.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Mon, 16 Apr 2012 08:32:06 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Derek Atkins <derek@ihtfp.com>, Tim Bray <tbray@textuality.com>
In-Reply-To: <sjmpqb73foo.fsf@mocana.ihtfp.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-125733401-1811558597-1334590326=:6719"
Cc: Pete Resnick <presnick@qualcomm.com>, Mark Nottingham <mnot@mnot.net>, Ned Freed <ned.freed@mrochek.com>, Apps Discuss <apps-discuss@ietf.org>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 15:32:11 -0000
A big problem, in my opinion, is that credentials will end up in the browser history cache when they are included in the URL. This is significant. Unless an explicit user "sign out" in the browser invalidates all tokens issued to the browser (this is a significant revocation requirement and revocations isn't properly solved yet) then someone sitting down at the machine can recover a credential by looking in the history. Note that enterprise edge proxies that are doing SSL termination may well see this, but that could be considered "their problem". I have seen apparent evidence of large companies using egress proxies that terminate all SSL outbound at their proxy (depressingly evil), and they frequently get stuff wrong in terms of proxy settings. -bill >________________________________ > From: Derek Atkins <derek@ihtfp.com> >To: Tim Bray <tbray@textuality.com> >Cc: Ned Freed <ned.freed@mrochek.com>; draft-ietf-oauth-v2-bearer.all@tools.ietf.org; Apps Discuss <apps-discuss@ietf.org>; Mark Nottingham <mnot@mnot.net>; Pete Resnick <presnick@qualcomm.com> >Sent: Monday, April 16, 2012 7:38 AM >Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer > >Tim, > >Tim Bray <tbray@textuality.com> writes: > >> As I pointed out in the other thread on this, it’s an architectural >> botch. Go and look in RFC3986 and find where it discusses reserving >> keywords in this part of the URI. Hey, it’s not there! (hint, hint) >> >> What *is* there is a lengthy discussion of the very important task, >> done probably millions of times per second, of comparing two URIs and >> deciding if they're equivalent, i.e. identify the same thing; this is >> done by every piece of caching infrastructure and webcrawler. Do all >> these have to be retooled to peek in the arguments and change their >> decision based on whether some bits are just outh_* crud? (That >> question is rhetorical). >> >> This is a deeply bad idea. -T > >As pointed out elsewhere on this thread by Mike Jones, caches, crawlers, >and other middleware will never see this because the bearer token MUST >be protected by SSL/TLS. So no, nothing needs to be retooled because >nothing will see it. > >-derek > >-- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant >_______________________________________________ >apps-discuss mailing list >apps-discuss@ietf.org >https://www.ietf.org/mailman/listinfo/apps-discuss > > >
- [apps-discuss] Reserved URI query parameter in dr… Pete Resnick
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Julian Reschke
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Carsten Bormann
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Derek Atkins
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt