IETF Logo Mail Archive

Re: [OAUTH-WG] SWT for indicating sites where a token is valid

Marius Scurtescu <mscurtescu@google.com> Tue, 11 May 2010 18:24 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7447328C26F for <oauth@core3.amsl.com>; Tue, 11 May 2010 11:24:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.214
X-Spam-Level:
X-Spam-Status: No, score=-100.214 tagged_above=-999 required=5 tests=[AWL=-0.837, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id We86sELpxAdO for <oauth@core3.amsl.com>; Tue, 11 May 2010 11:24:01 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 1BAE428C26D for <oauth@ietf.org>; Tue, 11 May 2010 11:20:21 -0700 (PDT)
Received: from kpbe19.cbf.corp.google.com (kpbe19.cbf.corp.google.com [172.25.105.83]) by smtp-out.google.com with ESMTP id o4BIK8bF030216 for <oauth@ietf.org>; Tue, 11 May 2010 11:20:09 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273602009; bh=5OnFh6/OaqRuLMe2o/jR5YE93NI=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=LH/ru1Cmd1ilOASyCPvsob6kwBFgOvlhwp+ES3KcQv/T5camSbXE4WKAWfnlrtxWj rR3sm8KZIlz4wBF6CWKag==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=O0gsTahQwKTEDGrdr5V6pUl8SavwUxXKS1HMLxmNRJW+5K3I8UuyKK5LwNaetvvTV X0o9ubCpn6QGXHeeltZfA==
Received: from pvg4 (pvg4.prod.google.com [10.241.210.132]) by kpbe19.cbf.corp.google.com with ESMTP id o4BIJgoZ026462 for <oauth@ietf.org>; Tue, 11 May 2010 11:19:44 -0700
Received: by pvg4 with SMTP id 4so438007pvg.3 for <oauth@ietf.org>; Tue, 11 May 2010 11:19:42 -0700 (PDT)
Received: by 10.140.248.20 with SMTP id v20mr4023425rvh.235.1273601982129; Tue, 11 May 2010 11:19:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.125.21 with HTTP; Tue, 11 May 2010 11:19:22 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1126328531E@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net> <AANLkTincZ8_0-t2r_Ey9BestA_knMciYsxRLyHcOvSVO@mail.gmail.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B2989@WSMSG3153V.srv.dir.telstra.com> <AANLkTinUEWwq2pxLukMrwDHeth-86THV_uvGWCrFjskU@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1126328511A@WSMSG3153V.srv.dir.telstra.com> <AANLkTimgXfVZc5-51FPsamrQPhj8EyXIeAa5qpQFhe3S@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1126328531E@WSMSG3153V.srv.dir.telstra.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Tue, 11 May 2010 11:19:22 -0700
Message-ID: <AANLkTikTeg36ZgwHHNT2sKumMd1N-F0z8Qb1xIBqYsV1@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SWT for indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 18:24:03 -0000

Hi James,

On Mon, May 10, 2010 at 5:36 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> Marius,
>
>> But then again, how does the client end up making a request to
> the wrong site?
>
> The client follows a redirect or link. It doesn't know if the ultimate source of the new URI was the resource server’s internal logic, user-generated content, or a parameter in the request URI (eg an open redirector).

If the protected resource sends a redirect instead of serving the
resource then probably it knows what it is doing.

Following links, how do you see that happening? Normally a client will
not follow links without understanding them and at the same time send
access tokens.

All I am saying is that IMO it is not very likely that redirects and
links will cause tokens to leak. I do agree that "sites" can help in
these cases, just not sure it is worth the complexity.


>>> If the wrong site uses HTTP then the token is also exposed on the network -- so it has just been broadcast in the clear if you are using public wifi. Again a security failure.
>
>> Sure, but the "sites" parameter does not help in these cases.
>
> "sites" does help. If its value was:
>  "sites": ["https://api.example.com", "https://img.example.com"]
> Then no HTTP URI matches so the token is never sent in the clear.

Yes, but HTTP and WIFI can compromise tokens even if sent to the
proper sites. Right?


Marius

v2.23.0 | Report a Bug | By Email