IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 1.0a

William Mills <wmills_92105@yahoo.com> Wed, 15 August 2012 06:16 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC5621F865E for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:16:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.278
X-Spam-Level:
X-Spam-Status: No, score=-2.278 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CC1ddp-LxZ79 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:16:13 -0700 (PDT)
Received: from nm39-vm5.bullet.mail.ne1.yahoo.com (nm39-vm5.bullet.mail.ne1.yahoo.com [98.138.229.165]) by ietfa.amsl.com (Postfix) with SMTP id DC47221F8620 for <oauth@ietf.org>; Tue, 14 Aug 2012 23:16:12 -0700 (PDT)
Received: from [98.138.90.50] by nm39.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:16:02 -0000
Received: from [98.138.88.232] by tm3.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:16:01 -0000
Received: from [127.0.0.1] by omp1032.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:16:01 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 864873.95950.bm@omp1032.mail.ne1.yahoo.com
Received: (qmail 59460 invoked by uid 60001); 15 Aug 2012 06:16:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1345011361; bh=aquZhruE9cHVAmp2A1QFQ4vG48OaVWFDlqdn+02Lja8=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=PTUdGD6DWw1s/lPfAmxeF5po8wz1ifR4CQcDtsgNmjdmTz1fVeSaPua2LHAsNXGOwKqRi6b1JTgRGbk+QHamMa9O9akjZ9YiUR2Ubg5jRzOxSvGnxQJJ/CgrY+O/p8ombMMCxwLF6faowwvrIULGT0ZvcbJF0iuFh0a8vZMeW3U=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=M2UGme5W3qX2NSTMegUml2Lw3rBpJmbKL5xTYUnHG76g5Fyo/OZBZ8V5co3UH9yRBzyundrdLp+SlEWt9fPMj8sa+XZfgxAHTrpxR7jT6gb+QN67H690SPEtdEaRzA9WVaXJ5H3IgVivRKymvXA+cIiIyjvWdqdqvvW6kD5PzYk=;
X-YMail-OSG: Pc5m.UkVM1ndMcGjp9UT.GdZVF2ALjApig_H9DxrGnd405N D8Hj880TlEU88w3r39sLsC8Jf8bJiwMWyyEGCLlYmzR6fno_z1UoTNwi.tQK GpC1n26dkIZvLaWf9oJPzOxwaqczk2Hu4.L9SyiDu2JWIw4ZErSaCrErBwgG wS4tNeYwbVmMWS_AvpUHAaEIelXtTsspzGOWz0w1ISDEZDGkJ8wG_cD0ohWL azplVaCTv8ep8vFU7GVwsvKdwGzzXI3uIkjOftCCHRMl7kpmwwTDAf3DrmZF OO3XXSvcaZU.IvxK4ximbfUDdQuYYF4Xiee0l7zQTWB4CTSiPoD74OnJwiiu 4f9Kzo4eCIGBnhWmyEKVo4LYiWJ_7Z77ysEtWo24WueUqhOvZpdF4HaTL4Yd Z9lClf1YTTWQOE3QsbTXRQRO6Nt29DCa41QYBf3ETjAhl2imdZZO.K0d6Bbb mzFaosKG0JWt9xLBMVwaoUpkwmyWTGCFgI540Yy4D9mR8P4cKxcxyRx1JTEQ HnIw-
Received: from [209.131.62.115] by web31816.mail.mud.yahoo.com via HTTP; Tue, 14 Aug 2012 23:16:01 PDT
X-Mailer: YahooMailWebService/0.8.121.416
References: <1344972117.60342.YahooMailNeo@web31802.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B168042967394366777A7F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1344973056.51964.YahooMailNeo@web31812.mail.mud.yahoo.com> <502AAA2D.1050404@lodderstedt.net> <1344974023.98979.YahooMailNeo@web31804.mail.mud.yahoo.com> <BCB8CADF-1B00-4388-85BA-3499953C9182@gmx.net>
Message-ID: <1345011361.54744.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Tue, 14 Aug 2012 23:16:01 -0700
From: William Mills <wmills_92105@yahoo.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <BCB8CADF-1B00-4388-85BA-3499953C9182@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1238014912-818528360-1345011361=:54744"
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:16:14 -0000

Fundamentally MAC and any HoK that uses symmetric keys are equivalent.  Either can pull in the same profile of HTTP stuff into the signature.

I commented on your argument that MAC and Bearer have equivalent security properties in a different thread.

-bill


________________________________
 From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: William Mills <wmills_92105@yahoo.com> 
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Torsten Lodderstedt <torsten@lodderstedt.net>; O Auth WG <oauth@ietf.org> 
Sent: Tuesday, August 14, 2012 10:49 PM
Subject: Re: [OAUTH-WG] OAuth 1.0a
 
Hi Bill, 

how do you know that the outcome of the security discussions will unlikely be different than MAC?

The views about TLS had changed in the meanwhile (a few years ago many thought it is too heavy and too expensive to get certificates), and we now have the JSON work as well. On top of that we may also want to provide not just client to server key confirmation with integrity protection of a few fields but more than that. In a nutshell the solution has to provide better security than bearer -- not just be different. 

Ciao
Hannes

On Aug 14, 2012, at 10:53 PM, William Mills wrote:

> I want to get the SASL work done.   HoK is interesting, but I've become convinced that it's not actually anything that needs it's own spec, you can do HoK with MAC or any other signed scheme by including the needed proof of ownership in the token.   HoK, however it works out, is unlikely to vary a lot from the elements that would currently be needed to support MAC or 1.0a and if needed can just extend the SASL mechanism.
> 
> -bill
> 
> From: Torsten Lodderstedt <torsten@lodderstedt.net>
> To: William Mills <wmills_92105@yahoo.com> 
> Cc: Mike Jones <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org> 
> Sent: Tuesday, August 14, 2012 12:42 PM
> Subject: Re: [OAUTH-WG] OAuth 1.0a
> 
> Hi Bill,
> 
> do you need to specify this aspect of your SASL profile now? Why don't you wait for the group to complete the work on signing/HoK? 
> 
> You could also contribute your use cases to drive the discussion.
> 
> best regards,
> Torsten.
> 
> Am 14.08.2012 21:37, schrieb William Mills:
>> It's for the OAUTH SASL spec.  I've been writing it with the idea that OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we want to allow for IMAP), but several folks were saying when this all started that 1.0a was dead and I should not refer to it.
>> 
>> I want to make sure the SASL mechanism is build to properly handle signed auth schemes and not just bearer (cookie) type.  
>> 
>> -bill
>> 
>> From: Mike Jones <Michael.Jones@microsoft.com>
>> To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org> 
>> Sent: Tuesday, August 14, 2012 12:28 PM
>> Subject: RE: [OAUTH-WG] OAuth 1.0a
>> 
>> What problem are you trying to solve?
>>  
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills
>> Sent: Tuesday, August 14, 2012 12:22 PM
>> To: O Auth WG
>> Subject: [OAUTH-WG] OAuth 1.0a
>>  
>> What's the general opinion on 1.0a?  Am I stepping in something if I refer to it in another draft?  I want to reference an auth scheme that uses signing and now MAC is apparently going back to the drawing board, so I'm thinking about using 1.0a.
>>  
>> Thanks,
>>  
>> -bill
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> 
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email