Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
Bill Mills <wmills_92105@yahoo.com> Tue, 02 December 2014 19:09 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA6691A6F93 for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 11:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.191
X-Spam-Level: *
X-Spam-Status: No, score=1.191 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5uKdGwV3Wl0 for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 11:09:15 -0800 (PST)
Received: from nm25-vm1.bullet.mail.bf1.yahoo.com (nm25-vm1.bullet.mail.bf1.yahoo.com [98.139.212.155]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A641E1A6EDA for <oauth@ietf.org>; Tue, 2 Dec 2014 11:09:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1417547354; bh=OUPnWoSBPvdrva2qwKMRDy4UVnlNzjFwE4qLNB0IXl8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Gf9Yjog0LA8qhZxOBCG7FWuLMT9wesdNJ6q2rNvEr36GvY/YluGNG/EdXXgYgPAmT3Sx9tSHevPcGCDCVPRPAfvvdopBJCQqFO+kENXDIfC0MdRgvmtebT7GJ+mdSNpnhhIhBfOPrUjwTiV7/L92sllrpUL3Oazq6neDwt74TidiKkUG+oGJM/qCj5iiCipTgE1cNvseLN/3Tjz+BGBqFYXwJ21OZoPJv36446rZql6Jy3eBygU8kafrMqV4TruBCxVynKqyt+BoSF8UnhCijaTl19K53U44I0gm8U9q4/+cWyTxhdy9apt61RlVAvlnhSTNfur2ULwgwqAeJsmmkg==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=R5RRbpcLtW/gKCPvNSmuvbjcIxTuzpn2/Ji/BFknnRtX0hgUwu9YREgj5DSZb4MV0fRzfPDpolXwsbBNVu8e84fvGQirviFdpY2wNan+ScjFiY76StgtXdFUSf9Xy3/6My2jmarCHcf0t8Qm87EPlRe2OhhdTW3EN9LwbaW1PankwO5NR2ANE1kNicKFmzqQ+F7Yg8+bOOM4bSMMxu6QsQWvhhq87JJLmzIADRs+4Rejk+utRQEVTfVuGjHEbuh8ZFU3Vg+Yi/z6Ut2Fv1Pr+3cxADFTstupsko5E8/yl/S8ZUL3pLRa2lR1+aDCKdR9gSp0Cvx/CSmw8ejRrMjkog==;
Received: from [98.139.212.153] by nm25.bullet.mail.bf1.yahoo.com with NNFMP; 02 Dec 2014 19:09:14 -0000
Received: from [98.139.212.198] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 02 Dec 2014 19:09:14 -0000
Received: from [127.0.0.1] by omp1007.mail.bf1.yahoo.com with NNFMP; 02 Dec 2014 19:09:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 812646.41844.bm@omp1007.mail.bf1.yahoo.com
X-YMail-OSG: 4eaOtmIVM1kQosMR0WfEWuXL4fUN4n15CS_SFL6zJsauO0KEXNETheYrpVGoFWT koJUF6KvaGdD4b.jU0GU7WMtfaMy1kW.C4l9XEstBxfoaB1FMmaCCrvo7o80DgqC5ub98vGPWlH0 mE_M2LunGk8MxfdLP0TM5klFmL7aYyg4XvUd5XecaeJxTDHbAIoCNNBbQb1RV1nevfwT6rcZ4GVh 3sbas__xXKE5jRUbajj6JEOHdzt7VcGQO5b9Aq8Hn4RpbceNzL5ef8a677hmyPMUhAhQbhlt36Fv 6djoB9pbesfJFNu8wIPLFKeqpfOjfAt3NnQJzgi0bCg1sUl6hf3NCSzYROySFeNXZ5Q8sxY.zhxu v4ppxYjkZTfDh1b6vuk4Q8bVRsZ4Gbw0phh0HzIRA3YPjXGDSwjchPWqCuSb_vHzO4AJ7UWuMp5Y Av7ByM.xx68ekfjq3fHHduk1hXpyMW5HoyclLqZaC_ZfBp_bAt4YVrr_.3Oq5cr4rC4M6_4J5mNM-
Received: by 76.13.27.48; Tue, 02 Dec 2014 19:09:14 +0000
Date: Tue, 02 Dec 2014 19:09:13 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: "Richer, Justin P." <jricher@mitre.org>
Message-ID: <244078391.3267266.1417547353925.JavaMail.yahoo@jws10601.mail.bf1.yahoo.com>
In-Reply-To: <131139F2-0F73-4315-B52A-9F609B55EF4C@mitre.org>
References: <131139F2-0F73-4315-B52A-9F609B55EF4C@mitre.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3267265_2097723159.1417547353922"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2J_t44OvxFKBnRjC6k2BjDV_GLc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 19:09:21 -0000
Fetching the public key for a token might be fine, but what if the introspection endpoint returns the symmetric key? Data about the user? Where does this blur the line between this and "act on behalf of"? On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." <jricher@mitre.org> wrote: The call to introspection has a TLS requirement, but the call to the RS wouldn't necessarily have that requirement. The signature and the token identifier are two different things. The identifier doesn't do an attacker any good on its own without the verifiable signature that's associated with it and the request. What I'm saying is that you introspect the identifier and get back something that lets you, the RS, check the signature. -- Justin On Dec 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com> wrote: "However, I think it's very clear how PoP tokens would work. ..." I don't know if that's true. POP tokens (as yet to be fully defined) would then also have a TLS or transport security requirement unless there is token introspection client auth in play I think. Otherwise I can as an attacker take that toklen and get info about it that might be useful, and I don't think that's what we want. -bill
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Justin Richer
- [OAUTH-WG] Review of draft-ietf-oauth-introspecti… Hannes Tschofenig
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Hannes Tschofenig
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Hannes Tschofenig
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Justin Richer
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Donald Coffin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Thomas Broyer
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Bill Mills
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Donald Coffin
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Bill Mills
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Bill Mills
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Bill Mills
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Eve Maler
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… John Bradley
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Richer, Justin P.
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Phil Hunt
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Justin Richer
- Re: [OAUTH-WG] Review of draft-ietf-oauth-introsp… Phil Hunt