Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
Mike Jones <Michael.Jones@microsoft.com> Tue, 24 April 2012 04:33 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26F2821F846D for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 21:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.947
X-Spam-Level:
X-Spam-Status: No, score=-3.947 tagged_above=-999 required=5 tests=[AWL=-0.348, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahfy-xsCXIDi for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 21:33:44 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id F062F21F846C for <oauth@ietf.org>; Mon, 23 Apr 2012 21:33:43 -0700 (PDT)
Received: from mail70-ch1-R.bigfish.com (10.43.68.244) by CH1EHSOBE006.bigfish.com (10.43.70.56) with Microsoft SMTP Server id 14.1.225.23; Tue, 24 Apr 2012 04:33:43 +0000
Received: from mail70-ch1 (localhost [127.0.0.1]) by mail70-ch1-R.bigfish.com (Postfix) with ESMTP id D12B41A006F; Tue, 24 Apr 2012 04:33:42 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I936eK542M1432N98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail70-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail70-ch1 (localhost.localdomain [127.0.0.1]) by mail70-ch1 (MessageSwitch) id 1335242021166333_18551; Tue, 24 Apr 2012 04:33:41 +0000 (UTC)
Received: from CH1EHSMHS009.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.242]) by mail70-ch1.bigfish.com (Postfix) with ESMTP id 1C5792006B; Tue, 24 Apr 2012 04:33:41 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS009.bigfish.com (10.43.70.9) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 24 Apr 2012 04:33:39 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.73]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0298.005; Tue, 24 Apr 2012 04:33:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Amos Jeffries <squid3@treenet.co.nz>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
Thread-Index: AQHNIbwgV4Z9yviFHUqw21P4ROZriJapO0KAgAAn49A=
Date: Tue, 24 Apr 2012 04:33:21 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436649663E@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <20120424014600.2289.60899.idtracker@ietfa.amsl.com> <5ad1b8b31aa38e4c0ab3c8012a1b8290@treenet.co.nz>
In-Reply-To: <5ad1b8b31aa38e4c0ab3c8012a1b8290@treenet.co.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 04:33:46 -0000
What specific language would you suggest be added to what section(s)? -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Amos Jeffries Sent: Monday, April 23, 2012 7:10 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt On 24.04.2012 13:46, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Web Authorization > Protocol Working Group of the IETF. > > Title : The OAuth 2.0 Authorization Protocol: Bearer > Tokens > Author(s) : Michael B. Jones > Dick Hardt > David Recordon > Filename : draft-ietf-oauth-v2-bearer-19.txt > Pages : 24 > Date : 2012-04-23 > > This specification describes how to use bearer tokens in HTTP > requests to access OAuth 2.0 protected resources. Any party in > possession of a bearer token (a "bearer") can use it to get access > to > the associated resources (without demonstrating possession of a > cryptographic key). To prevent misuse, bearer tokens need to be > protected from disclosure in storage and in transport. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt The section 2.3 (URL Query Parameter) text is still lacking explicit and specific security requirements. The overarching TLS requirement is good in general, but insufficient in the presence of HTTP intermediaries on the TLS connection path as is becoming a common practice. The upcoming HTTPbis specs document this issue as a requirement for new auth schemes such as Bearer: http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1 " Therefore, new authentication schemes which choose not to carry credentials in the Authorization header (e.g., using a newly defined header) will need to explicitly disallow caching, by mandating the use of either Cache-Control request directives (e.g., "no-store") or response directives (e.g., "private"). " AYJ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-be… Amos Jeffries
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-be… Amos Jeffries