Re: [OAUTH-WG] AD review of -22
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 02 November 2011 20:49 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D479B11E811F for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PGN3su-J4Pr for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:49:44 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.28]) by ietfa.amsl.com (Postfix) with ESMTP id 16F0511E80BC for <oauth@ietf.org>; Wed, 2 Nov 2011 13:49:43 -0700 (PDT)
Received: from [87.142.252.185] (helo=[192.168.71.38]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1RLhkh-0005g6-Tw; Wed, 02 Nov 2011 21:49:39 +0100
Message-ID: <4EB1ACE2.9070209@lodderstedt.net>
Date: Wed, 02 Nov 2011 21:49:38 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net> <4EB1A7E8.5030209@cs.tcd.ie>
In-Reply-To: <4EB1A7E8.5030209@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 20:49:44 -0000
If we must define a mandatory token type then bearer + TLS would be my suggestion. regards, Torsten. Am 02.11.2011 21:28, schrieb Stephen Farrell: > > Hi Torsten, > > On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote: >> Hi Stephen, >> >> I'm concerned about your proposal (7) to make support for MAC a MUST for >> clients and BEARER a MAY only. In my opinion, this does not reflect the >> group's consensus. > > That wasn't quite my comment, which is below: > > (7) Doesn't 7.1 need to say which token types are MTI so that we > get interop? I think I'd like to see mac being a MUST and bearer > being a MAY but regardless of my preference, I don't think you > can be silent on this. And as a consequence one or both of > the mac/bearer drafts need to end up as normative. > > > Beside this, the security threat analysis justifies >> usage of BEARER for nearly all use cases as long as HTTPS (incl. server >> authentication) can be utilized. > > As I said, I personally prefer the mac scheme since it demonstrates > use of a key. However, as I also said, the main concern with this > point is interop. (I do note though that bearer has server-auth TLS > as a MUST USE, so the implication of making bearer a MUST is that > TLS is MTI for the base spec too and a MUST USE for anything > involving the MTI token type.) > > In any case I can live with it so long as the set of things that > are MTI is clear. > > Incidentally, I don't believe any amount of +1 messages to your > mail answer my point above. As Eran's mail asks: what is it > that you're suggesting be MTI for whom? > > S. > >> >> regards, >> Torsten. >> >> >> Am 13.10.2011 19:13, schrieb Stephen Farrell: >>> >>> Hi all, >>> >>> Sorry for having been quite slow with this, but I had a bunch >>> of travel recently. >>> >>> Anyway, my AD comments on -22 are attached. I think that the >>> first list has the ones that need some change before we push >>> this out for IETF LC, there might or might not be something >>> to change as a result of the 2nd list of questions and the >>> rest are really nits can be handled either now or later. >>> >>> Thanks for all your work on this so far - its nearly there >>> IMO and we should be able to get the IETF LC started once >>> these few things are dealt with. >>> >>> Cheers, >>> S. >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>
- [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Phil Hunt
- Re: [OAUTH-WG] AD review of -22 Justin Richer
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Mike Jones
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 Phillip Hunt
- Re: [OAUTH-WG] AD review of -22 Stephen Farrell
- Re: [OAUTH-WG] AD review of -22 Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 John Bradley
- Re: [OAUTH-WG] AD review of -22 André DeMarre
- Re: [OAUTH-WG] AD review of -22 William Mills
- Re: [OAUTH-WG] AD review of -22 Justin Richer
- Re: [OAUTH-WG] AD review of -22 Eran Hammer-Lahav
- Re: [OAUTH-WG] AD review of -22 Phil Hunt
- Re: [OAUTH-WG] AD review of -22 Michael Thomas
- Re: [OAUTH-WG] AD review of -22 William Mills