IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of -22

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 02 November 2011 20:28 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9013F11E811F for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.585
X-Spam-Level:
X-Spam-Status: No, score=-102.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLll2k+PF-TE for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:28:41 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 975E211E80BC for <oauth@ietf.org>; Wed, 2 Nov 2011 13:28:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 6EC1A153D3A; Wed, 2 Nov 2011 20:28:40 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320265720; bh=SbFxuNpB7lzT67 P/U1QrF4pQKYgZ1dqXhZYJmqxT3tU=; b=eClrxy6D0wv56VROt6tfXSe046svXO meq3GwKUMDkcapzWsTdMN8P2jjLYykw8dXdFOnQNBp4MVWQd1RuACkMBSeAnOMQa u0wchTaWU/BJeGFgL1BOfXZHabVncKSbtEYct2pzQ2H3w+uWKKCLT+LkgfeiVa/k i1wjpbJ72q52N032/d/0dS9F/mDNBLI+tKHcGgia8PM5akb5blnwGzWMp9SIpsDD sVq0I+nKVVK0+rbGgVsPz7SEhMWbqUNyClXFtwx/ZzuB2P5W4pc+osU0j64wXruO l20zrtvyMjnADWiS7cSPQPDbQcYcBI9CrzsiE2sk3L+x2qD6/TU4L3iA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id cvzUqRAZAF80; Wed, 2 Nov 2011 20:28:40 +0000 (GMT)
Received: from [10.87.48.6] (unknown [86.45.59.36]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 0627A153D39; Wed, 2 Nov 2011 20:28:39 +0000 (GMT)
Message-ID: <4EB1A7E8.5030209@cs.tcd.ie>
Date: Wed, 02 Nov 2011 20:28:24 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>
In-Reply-To: <4EB19DD1.6050904@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 20:28:42 -0000

Hi Torsten,

On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote:
> Hi Stephen,
>
> I'm concerned about your proposal (7) to make support for MAC a MUST for
> clients and BEARER a MAY only. In my opinion, this does not reflect the
> group's consensus.

That wasn't quite my comment, which is below:

    (7) Doesn't 7.1 need to say which token types are MTI so that we
    get interop?  I think I'd like to see mac being a MUST and bearer
    being a MAY but regardless of my preference, I don't think you
    can be silent on this. And as a consequence one or both of
    the mac/bearer drafts need to end up as normative.

 > Beside this, the security threat analysis justifies
> usage of BEARER for nearly all use cases as long as HTTPS (incl. server
> authentication) can be utilized.

As I said, I personally prefer the mac scheme since it demonstrates
use of a key. However, as I also said, the main concern with this
point is interop. (I do note though that bearer has server-auth TLS
as a MUST USE, so the implication of making bearer a MUST is that
TLS is MTI for the base spec too and a MUST USE for anything
involving the MTI token type.)

In any case I can live with it so long as the set of things that
are MTI is clear.

Incidentally, I don't believe any amount of +1 messages to your
mail answer my point above. As Eran's mail asks: what is it
that you're suggesting be MTI for whom?

S.

>
> regards,
> Torsten.
>
>
> Am 13.10.2011 19:13, schrieb Stephen Farrell:
>>
>> Hi all,
>>
>> Sorry for having been quite slow with this, but I had a bunch
>> of travel recently.
>>
>> Anyway, my AD comments on -22 are attached. I think that the
>> first list has the ones that need some change before we push
>> this out for IETF LC, there might or might not be something
>> to change as a result of the 2nd list of questions and the
>> rest are really nits can be handled either now or later.
>>
>> Thanks for all your work on this so far - its nearly there
>> IMO and we should be able to get the IETF LC started once
>> these few things are dealt with.
>>
>> Cheers,
>> S.
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email