IETF Logo Mail Archive

Re: [OAUTH-WG] Username and Password flow: no captcha?

Dick Hardt <dick.hardt@gmail.com> Tue, 08 June 2010 01:21 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 146F43A68E9 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 18:21:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[AWL=0.511, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FQHyk0YhrHq for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 18:21:32 -0700 (PDT)
Received: from mail-px0-f172.google.com (mail-px0-f172.google.com [209.85.212.172]) by core3.amsl.com (Postfix) with ESMTP id 2606B3A68E0 for <oauth@ietf.org>; Mon, 7 Jun 2010 18:21:32 -0700 (PDT)
Received: by pxi19 with SMTP id 19so1612675pxi.31 for <oauth@ietf.org>; Mon, 07 Jun 2010 18:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=He0/AQWqHLcmxz/y2SHjnsN7PfiiRlT0GfztOkY/jHw=; b=QGeE2esITU19Dg8igufE4QyzLFGtnBw+CdtqWUI1B9ajaXruwZ1rWZFZcaVLmz0keM 9jT9/zeD6AGFmNJqgvLT3vKa3OSp1X+CIcQerngcZTCmDjhcI+bQCBi/3V5fk5jzCFpX ROP5d5fHiGIMQBmyla9/VLUrrGrq6UCIn39WA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=KMjGJnFMydRyt84xbq1F/nr1Nnywrine0IlNbZ0EMcGyb42Y65NHNFsZy2cbhHzcmI utljRVbZPKclqgDclmZv4JoqSni8d7UtpO00yqDmXNSQWStEzWP/8UdbbiB7hc1oreQa Sf5KeM8WfKj2qQVAXkiMSG+9ofuNsHyOnPty0=
Received: by 10.115.39.40 with SMTP id r40mr12278343waj.183.1275960090013; Mon, 07 Jun 2010 18:21:30 -0700 (PDT)
Received: from [10.0.1.15] ([24.130.32.55]) by mx.google.com with ESMTPS id d20sm43603222waa.15.2010.06.07.18.21.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 07 Jun 2010 18:21:29 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: multipart/alternative; boundary="Apple-Mail-6--847339051"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <DADD7EAD88AB484D8CCC328D40214CCD0179258EFD@EXPO10.exchange.mit.edu>
Date: Mon, 07 Jun 2010 18:21:27 -0700
Message-Id: <4B4E144D-A3E9-4EDD-B010-FDA700C2BCF8@gmail.com>
References: <AANLkTint78W8GC5Jctc0je5dsmuY-Ket2aqI00tjl-NC@mail.gmail.com> <AANLkTilXJM7rphv02DvFsmMgSdjO0twY1nVIPGwduC6m@mail.gmail.com> <067D69D3-6E06-4B53-B9AB-A39B3DE9E957@facebook.com> <82D12A9F-B304-439D-80F9-943ECB5F8BBF@gmail.com> <DADD7EAD88AB484D8CCC328D40214CCD0179258EFD@EXPO10.exchange.mit.edu>
To: Thomas Hardjono <hardjono@MIT.EDU>
X-Mailer: Apple Mail (2.1078)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Username and Password flow: no captcha?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 01:21:33 -0000

On 2010-06-07, at 1:24 PM, Thomas Hardjono wrote:

> What if the username/password (or PIN) was used to release a secret (located in an OTP dongle) or to exercise a secret key (symmetric or asymmetric) located in a smartcard or TPM chip?
>  
> Reading Section 3.8, it seems it covers these cases already (or am I reading the wrong section). In Figure 6, the “Client” would be the code contained in the auth-device (or the code that invokes the underlying auth-device).
>  
> Section 3.7 on device flows does not look as if it was written with these portable auth-devices in mind.

Correct, it was not.

v2.23.0 | Report a Bug | By Email