IETF Logo Mail Archive

Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 16 April 2012 15:47 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B44B21F85F2 for <apps-discuss@ietfa.amsl.com>; Mon, 16 Apr 2012 08:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.284
X-Spam-Level:
X-Spam-Status: No, score=-102.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBXLBhhl1r7J for <apps-discuss@ietfa.amsl.com>; Mon, 16 Apr 2012 08:47:16 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 2F61B21F85EF for <apps-discuss@ietf.org>; Mon, 16 Apr 2012 08:47:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 04F58171473; Mon, 16 Apr 2012 16:47:14 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1334591233; bh=nNshFYPLJsArTe CJO8nUB1/VuSsVuUQoB8doKnXQvKs=; b=ruEuh5plC3XPGsv5L8Au12dOp2XbCR mGxRTfL5jEALPUjmTrrcOVvkYlhPZRoleXm7Hj1b3/phUsoYdJezz8LMn+tC47r0 QMBS9UZWyz5Zp9ivmtzPLuGlvygcI0uvyCXiXFyHBYgZsfocMQJRoqCnWKtHktL8 glvtWHS5UwI7l/TS5feTCxpz4zKnwvm2tY3KUFRq1NIUSGF2UA/Rgq9JFaHIFa4K 6BSEbMOG3GrwaPHUFNpYgTVK63x260nZB3bG5GRBMbg08mQBjG+y0R+VeoZFbsxD T51Iq+5XVhBFVb2AttYDaXpKdvr96+ssDsam3+JbcHWecCRfoQdT0f5A==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id VkBZDN61I3Cm; Mon, 16 Apr 2012 16:47:13 +0100 (IST)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 8F12C171471; Mon, 16 Apr 2012 16:47:09 +0100 (IST)
Message-ID: <4F8C3EFF.20103@cs.tcd.ie>
Date: Mon, 16 Apr 2012 16:47:11 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: William Mills <wmills@yahoo-inc.com>
References: <4F866AC0.3000603@qualcomm.com> <01OE8FW1U53G00ZUIL@mauve.mrochek.com> <82462DAA-5118-4108-AA5C-FBEBBC563D4E@mnot.net> <01OE921YMRSW00ZUIL@mauve.mrochek.com> <4F8898A9.8020806@cs.tcd.ie> <CAHBU6it6vxo=B85Q7fpzsVY97QD8jtbEs-pxvWHP-81zv8Ov4g@mail.gmail.com> <sjmpqb73foo.fsf@mocana.ihtfp.org> <1334590326.6719.YahooMailNeo@web31807.mail.mud.yahoo.com>
In-Reply-To: <1334590326.6719.YahooMailNeo@web31807.mail.mud.yahoo.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: Ned Freed <ned.freed@mrochek.com>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, Apps Discuss <apps-discuss@ietf.org>, Mark Nottingham <mnot@mnot.net>, Pete Resnick <presnick@qualcomm.com>, Derek Atkins <derek@ihtfp.com>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 15:47:17 -0000

Hi Bill,

On 04/16/2012 04:32 PM, William Mills wrote:
> 
> 
> A big problem, in my opinion, is that credentials will end up in the browser history cache when they are included in the URL.  This is significant.  Unless an explicit user "sign out" in the browser invalidates all tokens issued to the browser (this is a significant revocation requirement and revocations isn't properly solved yet) then someone sitting down at the machine can recover a credential by looking in the history.
> 
> 
> Note that enterprise edge proxies that are doing SSL termination may well see this, but that could be considered "their problem".  I have seen apparent evidence of 
> large companies using egress proxies that terminate all SSL outbound at 
> their proxy (depressingly evil), and they frequently get stuff wrong in 
> terms of proxy settings.

Right. I agree that is an issue. The draft does try to address that
and we can chat about whether it does that well enough or not (but
that's maybe more for the oauth list really.)

But your issue is a different one from that being discussed in
this thread. Yours is due to the value being a bearer token and
not due to the name of the parameter being registered/reserved.

S.


> 
> -bill
> 
> 
> 
>> ________________________________
>> From: Derek Atkins <derek@ihtfp.com>
>> To: Tim Bray <tbray@textuality.com> 
>> Cc: Ned Freed <ned.freed@mrochek.com>; draft-ietf-oauth-v2-bearer.all@tools.ietf.org; Apps Discuss <apps-discuss@ietf.org>; Mark Nottingham <mnot@mnot.net>; Pete Resnick <presnick@qualcomm.com> 
>> Sent: Monday, April 16, 2012 7:38 AM
>> Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
>>
>> Tim,
>>
>> Tim Bray <tbray@textuality.com> writes:
>>
>>> As I pointed out in the other thread on this, it’s an architectural
>>> botch. Go and look in RFC3986 and find where it discusses reserving
>>> keywords in this part of the URI.  Hey, it’s not there!  (hint, hint)
>>>
>>> What *is* there is a lengthy discussion of the very important task,
>>> done probably millions of times per second, of comparing two URIs and
>>> deciding if they're equivalent, i.e. identify the same thing; this is
>>> done by every piece of caching infrastructure and webcrawler.  Do all
>>> these have to be retooled to peek in the arguments and change their
>>> decision based on whether some bits are just outh_* crud?    (That
>>> question is rhetorical).
>>>
>>> This is a deeply bad idea. -T
>>
>> As pointed out elsewhere on this thread by Mike Jones, caches, crawlers,
>> and other middleware will never see this because the bearer token MUST
>> be protected by SSL/TLS.  So no, nothing needs to be retooled because
>> nothing will see it.
>>
>> -derek
>>
>> -- 
>>        Derek Atkins                 617-623-3745
>>       derek@ihtfp.com            www.ihtfp.com
>>        Computer and Internet Security Consultant
>> _______________________________________________
>> apps-discuss mailing list
>> apps-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/apps-discuss
>>
>>
>>

v2.23.0 | Report a Bug | By Email