Re: [OAUTH-WG] OAuth 2.0 Device Flow: Call for Adoption Finalized

Justin Richer <jricher@mit.edu> Sat, 06 February 2016 14:22 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D194A1A0113 for <oauth@ietfa.amsl.com>; Sat, 6 Feb 2016 06:22:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3QfBLbZgg8h for <oauth@ietfa.amsl.com>; Sat, 6 Feb 2016 06:22:04 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 738A21A0110 for <oauth@ietf.org>; Sat, 6 Feb 2016 06:22:04 -0800 (PST)
X-AuditID: 12074424-f53ff7000000601b-10-56b6018b435a
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id EF.CD.24603.B8106B65; Sat, 6 Feb 2016 09:22:03 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u16EM2OX010556; Sat, 6 Feb 2016 09:22:02 -0500
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u16EM08x007113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 6 Feb 2016 09:22:01 -0500
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
References: <56B3A3E6.5000109@gmx.net> <56B5DBE6.3090300@lodderstedt.net>
From: Justin Richer <jricher@mit.edu>
Message-ID: <56B6017D.9050908@mit.edu>
Date: Sat, 6 Feb 2016 09:21:49 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56B5DBE6.3090300@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------090002040304080103090707"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphleLIzCtJLcpLzFFi42IRYrdT0e1m3BZmcHMVr8XSnfdYLU6+fcVm 8erYUxYHZo/Fm/azeSxZ8pPJ41hPP2sAcxSXTUpqTmZZapG+XQJXxpojr5gLXmlVzLu8iLmB 8b5SFyMnh4SAiUTv+a/sXYxcHEICbUwSJ3f+YYJwNjBKdM6czgLh3GKS6H5wkhmkRVjAS+JK 8x2wFhGBqYwSE1/OYQJJCAl4Ssx/dZ4dxGYTUJWYvqYFLM4roCax/18bC4jNIqAi0dCxE6xG VCBG4mLnEagaQYmTM5+A1XAK6EvMmdoHZjMLhEnsuruBaQIj3ywkZbOQpCBsW4k7c3czQ9jy EtvfzoGydSUWbVvBDhNv3jqbeQEj2ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdc73czBK91JTS TYzgwHZR2cHYfEjpEKMAB6MSD2/Dmy1hQqyJZcWVuYcYJTmYlER5z9tsDRPiS8pPqcxILM6I LyrNSS0+xCjBwawkwjtzBVCONyWxsiq1KB8mJc3BoiTOa8S/KUxIID2xJDU7NbUgtQgmK8PB oSTB28KwLUxIsCg1PbUiLTOnBCHNxMEJMpwHaHgFSA1vcUFibnFmOkT+FKOilDjvEpCEAEgi ozQPrheUeBLeHjZ9xSgO9Iow73+QKh5g0oLrfgU0mAlo8GnGzSCDSxIRUlINjM4W8Vfu1ipl lc8J8Xgyv0fB1OeoJcNkjuvZLDuPzFackS5y1YYnL8zjz0HxosNfK35+N5LiMCmZtOJ24W+3 SRO0E5S+l+SujBdQ1PXfbXrGpvIn3+G5/z6Fq9z70NsXnKpxsOqFgXC2nfQttV7DjhtX/lhM ejX/CyOvs/31XfVzMz49aT/Jq8RSnJFoqMVcVJwIAHryiYgXAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-o95o31vfxQVv2oehIZg4dYRqFs>
Subject: Re: [OAUTH-WG] OAuth 2.0 Device Flow: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2016 14:22:07 -0000

Dynamic client registration makes provisioning secrets much easier on 
devices like this. When it was originally written, the target was a 
public native application, where every copy would've gotten the same 
secret at manufacture time rendering it not as secret. We've got good 
ways around that restriction now, managing instances separately.

  -- Justin

On 2/6/2016 6:41 AM, Torsten Lodderstedt wrote:
> I support adoption of this draft as starting point.
>
> I would like to note the following:
> - this flow is vulnerable to session fixation - A discussion of this 
> threat along with a reasonable mitigation needs to be added.
> - I dont't understand why this particular flow precludes use of client 
> secrets. The application rendered on a device with limited input 
> capabilities could be a web application as well. For exampe, we run 
> such apps on our IP TV platform.
>
> kind regards,
> Torsten.
>
> Am 04.02.2016 um 20:17 schrieb Hannes Tschofenig:
>> Hi all,
>>
>> On January 19th I posted a call for adoption of the OAuth 2.0 Device
>> Flow specification, see
>> http://www.ietf.org/mail-archive/web/oauth/current/msg15403.html
>>
>> The feedback at the Yokohama IETF meeting was very positive and also the
>> response on the mailing list was positive.
>>
>> To conclude, based on the call <draft-denniss-oauth-device-flow-00> will
>> become the starting point for work in the OAuth working group. Please
>> submit the document as draft-ietf-oauth-device-flow-00.txt.
>>
>> Ciao
>> Hannes & Derek
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth