IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-02.txt

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 20 December 2013 21:55 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648241AE1CA for <oauth@ietfa.amsl.com>; Fri, 20 Dec 2013 13:55:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEUw95hVi_6h for <oauth@ietfa.amsl.com>; Fri, 20 Dec 2013 13:55:44 -0800 (PST)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A263C1ACC87 for <oauth@ietf.org>; Fri, 20 Dec 2013 13:55:44 -0800 (PST)
Received: by mail-we0-f174.google.com with SMTP id q58so2991869wes.5 for <oauth@ietf.org>; Fri, 20 Dec 2013 13:55:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=MaNKngslfbvUjQX5Wok0xS4ae28MENCARPqoVCxZI3g=; b=ttUYnAmqSa1gc6cByi6HDTOoZXs9SW+g0ZNDwL/RTaTkLaV7lXivlDxkPADPmpSLkk UxD3BHKsLH/A/x/X/UZiivQ1S1jSgCgfpsp5nlc6s/A6LZXoU//4aDhvSJYvCTzGuGRg Y84mo1kLG4Y3xKhMtosLs8DCcf5CWDf5Dh3oB2PwAMtXXllVuOsTSGmqg4ovtrUDUocW TJgj78exdGeYAK33Ky3b5wx8fP1utAF4fxgvnb15VzKdNqbG7nKcy+8SAhAogIHhSNC3 6XvHqaZyZxd8MoUX6aWexeqD2fWUHhZTxBMeOmMvAq9vUXoDQjKhFx48Uie4z0ogami4 eNGg==
X-Received: by 10.180.207.239 with SMTP id lz15mr9402299wic.28.1387576541913; Fri, 20 Dec 2013 13:55:41 -0800 (PST)
Received: from [192.168.2.5] ([89.100.140.5]) by mx.google.com with ESMTPSA id fu1sm16689964wib.9.2013.12.20.13.55.41 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 20 Dec 2013 13:55:41 -0800 (PST)
Message-ID: <52B4BCD0.5080600@gmail.com>
Date: Fri, 20 Dec 2013 21:55:28 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <20131019101348.9565.3370.idtracker@ietfa.amsl.com> <CABzCy2Ai6W3XRLzXTGQB8vS40V6QTsoa6Q+7uq4zMftgnZkc7g@mail.gmail.com>
In-Reply-To: <CABzCy2Ai6W3XRLzXTGQB8vS40V6QTsoa6Q+7uq4zMftgnZkc7g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2013 21:55:49 -0000

Hi

IMHO the fact the transformation of the code_verifier is pluggable is a 
major improvement, and the whole text somehow reads much easier (few 
minor typos in the introduction).

The only doubt is about the 'MUST' bit where the client is expected to 
figure out that the server supports this spec. Not a problem for me as I 
don't work on implementing a client, but it seems like it makes the 
whole process suddenly much more complex than may be it should be.

Would it make sense to change 'MUST' to 'RECOMMENDED' and have the 
authorization service return a code_verifier_accepted or some similar 
response parameter, alongside with the 'code', instead ? Not really though,

Cheers, Sergey



On 19/10/13 11:15, Nat Sakimura wrote:
> Incorporated the discussion at Berlin meeting and after in the ML.
>
> Best,
>
> Nat
>
> ---------- Forwarded message ----------
> From: ** <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: 2013/10/19
> Subject: New Version Notification for draft-sakimura-oauth-tcse-02.txt
> To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>, John
> Bradley <jbradley@pingidentity.com <mailto:jbradley@pingidentity.com>>,
> Naveen Agarwal <naa@google.com <mailto:naa@google.com>>
>
>
>
> A new version of I-D, draft-sakimura-oauth-tcse-02.txt
> has been successfully submitted by Nat Sakimura and posted to the
> IETF repository.
>
> Filename:        draft-sakimura-oauth-tcse
> Revision:        02
> Title:           OAuth Symmetric Proof of Posession for Code Extension
> Creation date:   2013-10-19
> Group:           Individual Submission
> Number of pages: 8
> URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-02.txt
> Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
> Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02
> Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-02
>
> Abstract:
>     The OAuth 2.0 public client utilizing authorization code grant is
>     susceptible to the code interception attack.  This specification
>     describe a mechanism that acts as a control against this threat.
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org
> <http://tools.ietf.org>.
>
> The IETF Secretariat
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email