Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

[William Mills <wmills@yahoo-inc.com>]

>________________________________
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>To: William Mills <wmills@yahoo-inc.com> 
>Cc: Derek Atkins <derek@ihtfp.com>; Tim Bray <tbray@textuality.com>; Ned Freed <ned.freed@mrochek.com>; "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>; Apps Discuss <apps-discuss@ietf.org>; Mark Nottingham <mnot@mnot.net>; Pete Resnick <presnick@qualcomm.com> 
>Sent: Monday, April 16, 2012 8:47 AM
>Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
> 
>
>Hi Bill,
>
>On 04/16/2012 04:32 PM, William Mills wrote:
>> 
>> 
>> A big problem, in my opinion, is that credentials will end up in the browser history cache when they are included in the URL.  This is significant.  Unless an explicit user "sign out" in the browser invalidates all tokens issued to the browser (this is a significant revocation requirement and revocations isn't properly solved yet) then someone sitting down at the machine can recover a credential by looking in the history.
>> 
>> 
>> Note that enterprise edge proxies that are doing SSL termination may well see this, but that could be considered "their problem".  I have seen apparent evidence of 
>> large companies using egress proxies that terminate all SSL outbound at 
>> their proxy (depressingly evil), and they frequently get stuff wrong in 
>> terms of proxy settings.
>
>Right. I agree that is an issue. The draft does try to address that
>and we can chat about whether it does that well enough or not (but
>that's maybe more for the oauth list really.)
>
>But your issue is a different one from that being discussed in
>this thread. Yours is due to the value being a bearer token and
>not due to the name of the parameter being registered/reserved.

Yeah, true.  But if it's not there then it doesn't need a name.


>
>S.
>
>
>> 
>> -bill
>> 
>> 
>> 
>>> ________________________________
>>> From: Derek Atkins <derek@ihtfp.com>
>>> To: Tim Bray <tbray@textuality.com> 
>>> Cc: Ned Freed <ned.freed@mrochek.com>; draft-ietf-oauth-v2-bearer.all@tools.ietf.org; Apps Discuss <apps-discuss@ietf.org>; Mark Nottingham <mnot@mnot.net>; Pete Resnick <presnick@qualcomm.com> 
>>> Sent: Monday, April 16, 2012 7:38 AM
>>> Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
>>>
>>> Tim,
>>>
>>> Tim Bray <tbray@textuality.com> writes:
>>>
>>>> As I pointed out in the other thread on this, it’s an architectural
>>>> botch. Go and look in RFC3986 and find where it discusses reserving
>>>> keywords in this part of the URI.  Hey, it’s not there!  (hint, hint)
>>>>
>>>> What *is* there is a lengthy discussion of the very important task,
>>>> done probably millions of times per second, of comparing two URIs and
>>>> deciding if they're equivalent, i.e. identify the same thing; this is
>>>> done by every piece of caching infrastructure and webcrawler.  Do all
>>>> these have to be retooled to peek in the arguments and change their
>>>> decision based on whether some bits are just outh_* crud?    (That
>>>> question is rhetorical).
>>>>
>>>> This is a deeply bad idea. -T
>>>
>>> As pointed out elsewhere on this thread by Mike Jones, caches, crawlers,
>>> and other middleware will never see this because the bearer token MUST
>>> be protected by SSL/TLS.  So no, nothing needs to be retooled because
>>> nothing will see it.
>>>
>>> -derek
>>>
>>> -- 
>>>        Derek Atkins                 617-623-3745
>>>      derek@ihtfp.com            www.ihtfp.com
>>>        Computer and Internet Security Consultant
>>> _______________________________________________
>>> apps-discuss mailing list
>>> apps-discuss@ietf.org
>>> https://www.ietf.org/mailman/listinfo/apps-discuss
>>>
>>>
>>>
>
>
>