IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 15 July 2010 13:35 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C14F3A6A05 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 06:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.17
X-Spam-Level:
X-Spam-Status: No, score=-2.17 tagged_above=-999 required=5 tests=[AWL=-0.172, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_63=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfseB3ejLA9v for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 06:35:47 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 0FDB53A696C for <oauth@ietf.org>; Thu, 15 Jul 2010 06:35:44 -0700 (PDT)
Received: (qmail 20644 invoked from network); 15 Jul 2010 13:35:52 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 15 Jul 2010 13:35:52 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Thu, 15 Jul 2010 06:35:41 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Evan Gilbert <uidude@google.com>
Date: Thu, 15 Jul 2010 06:35:39 -0700
Thread-Topic: [OAUTH-WG] "shared symmetric secret"
Thread-Index: Acsj46O8Omf4x8BSS3OMw7TLIDwAbQAPvkoz
Message-ID: <C8645CBB.372DA%eran@hueniverse.com>
In-Reply-To: <AANLkTi=PUkqOU0Mtyewby4AHFTXbvBznfh1h9c0=nFSt@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8645CBB372DAeranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 13:35:55 -0000

Access tokens should not be stored in plain text either since stealing them is just like stealing a password.

As for cookies, client developers do very little to protect cookies today. While the theory might be similar, in practice, telling a client developer this is just like a cookies doesn't warn them enough.

EHL


On 7/14/10 11:04 PM, "Evan Gilbert" <uidude@google.com> wrote:

"Password" doesn't seem to be the right analogy. You don't (or really shouldn't) store passwords in plain text or in cookies.

How about "cookies"? Most web developers understand that cookies are used as a token that grants access to resources. We've also called these tokens"API cookies" when trying to describe them internally.


On Tue, Jul 13, 2010 at 4:34 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
I'm only using 2828 definition of capability, not password.

EHL



On 7/13/10 3:20 PM, "Zachary Zeltsan" <zachary.zeltsan@alcatel-lucent.com <http://zachary.zeltsan@alcatel-lucent.com> > wrote:

According to the RFC 2828 an access token is rather a capability than a password. The passwords are usually associated with the matching identifiers, but an access token of OAuth 2.0 is used as a single credential that allows access to a protected resource.

>From RFC 2828:
$ password

      (C) A password is usually matched with a user identifier that is
      explicitly presented in the authentication process, but in some
      cases the identity may be implicit.

Zachary
-----Original Message-----
From: oauth-bounces@ietf.org <http://oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Eaton
Sent: Tuesday, July 13, 2010 4:43 PM
To: Faynberg, Igor (Igor)
Cc: OAuth WG
Subject: Re: [OAUTH-WG] "shared symmetric secret"

On Tue, Jul 13, 2010 at 1:40 PM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com <http://igor.faynberg@alcatel-lucent.com> > wrote:
> In this case, the term "capability" MUST be defined up front. The word
> "capability" seems to carry a much broader meaning than password...

It has a standard definition we can reference.  From
http://www.ietf.org/rfc/rfc2828.txt

   $ capability
      (I) A token, usually an unforgeable data value (sometimes called a
      "ticket") that gives the bearer or holder the right to access a
      system resource. Possession of the token is accepted by a system
      as proof that the holder has been authorized to access the
      resource named or indicated by the token. (See: access control
      list, credential, digital certificate.)


_______________________________________________
OAuth mailing list
OAuth@ietf.org <http://OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <http://OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.40.4 | Report a Bug | By Email | System Status