IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt

David Recordon <recordond@gmail.com> Wed, 12 May 2010 06:30 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 637583A6AD8 for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.352, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aWfLCFulZ4o for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:30:03 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id D2DDE3A6AF0 for <oauth@ietf.org>; Tue, 11 May 2010 23:30:02 -0700 (PDT)
Received: by gyh4 with SMTP id 4so3352094gyh.31 for <oauth@ietf.org>; Tue, 11 May 2010 23:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=crmCZ/95RsWI7P20FCwD4uPsETdkpJTn+gdPdLzo9vE=; b=TdyhW6AVatqbHqnD3Cxu3I0YgIoN8hPrw3bvgg0PkCUXZ/vGH/wrbNEUI0mIHX2rG+ NFkCd5LhFABdMnjoxaQvTWGCFuOHFYvsjLwHB/DVk/f5cD7Wvyg34pWJQu/DCnHwnrbK huVMGCDTHI91sObpd6qS3gQXxWrJyaJwQtNYk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=uQiK0motDBhYWmZsoEBjt5ChqOrAZhaEloxXEYcBoIQSi6y75lb+s2VFTqqRWF7SOq M4b2AdJuvDH/hcA/YY5cYgZIykPgdjZhRj1OCH2xHP6j26IQ8PEfwfGn4VbCVt6zCoBf jXeoCBKHvxJGSPPbg3iNjnKSrWbb0bXogZnE4=
MIME-Version: 1.0
Received: by 10.101.182.34 with SMTP id j34mr3519218anp.262.1273645789722; Tue, 11 May 2010 23:29:49 -0700 (PDT)
Received: by 10.100.248.11 with HTTP; Tue, 11 May 2010 23:29:49 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB474C9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <20100510054516.2957E3A6B0C@core3.amsl.com> <98B37F7D0484184B9DBDCC44B6C8EDA3049F9EDF@S4DE9JSAAID.ost.t-com.de> <90C41DD21FB7C64BB94121FBBC2E72343B3AB474C9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 11 May 2010 23:29:49 -0700
Message-ID: <AANLkTinTq_5R0gFqCM3Ctj5elpAjO3vA87WCGZhdrfOF@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: "Axel.Nennker@telekom.de" <Axel.Nennker@telekom.de>, Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 06:30:04 -0000

Yes, the Client authenticating using a RSA key pair seems like it
should be a different flow.

On Tue, May 11, 2010 at 11:25 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> But it is not beyond the scope. We define a parameter just for that called client_secret. If you want to use something else, you need to define an extension that replaces that with something else.
>
> EHL
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Axel.Nennker@telekom.de
>> Sent: Tuesday, May 11, 2010 11:22 PM
>> To: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt
>>
>> I suggest a change to
>>
>> "3.4.  Client Credentials
>>
>>    When requesting access from the authorization server, the client
>>    identifies itself using a set of client credentials.  The client
>>    credentials include a client identifier and an OPTIONAL symmetric
>>    shared secret.  The means through which the client obtains these
>>    credentials are beyond the scope of this specification, but usually
>>    involve registration with the authorization server."
>>
>> I don't like the "symmetric shared secret" and would like this to be "beyond
>> the scope of this spec".
>>
>> I suggest to change that paragraph e.g. to:
>>
>> "3.4.  Client Credentials
>>
>>    When requesting access from the authorization server, the client
>>    authenticates itself using its credentials. The type of credentials
>>    is beyond the scope of this specification. The means through which
>>    the client obtains these credentials are beyond the scope of this
>>    specification, but usually involve registration with the
>>    authorization server."
>>
>> -Axel
>>
>> Ps.
>> If the client has an e.g. RSA-keypair then it could use the private key to sign
>> the request and thereby authenticate itself.
>> The public key would need to be exchanged before out-of-band. Or it could
>> be a certificate that is e.g. issued by the authorization server or a party that
>> the authorization server trusts.
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Internet-Drafts@ietf.org
>> Sent: Monday, May 10, 2010 7:45 AM
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>> Subject: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Open Authentication Protocol Working Group
>> of the IETF.
>>
>>
>>       Title           : The OAuth 2.0 Protocol
>>       Author(s)       : E. Hammer-Lahav, et al.
>>       Filename        : draft-ietf-oauth-v2-04.txt
>>       Pages           : 51
>>       Date            : 2010-05-09
>>
>> This specification describes the OAuth 2.0 protocol.  OAuth provides a
>> method for making authenticated HTTP requests using a token - an identifier
>> used to denote an access grant with specific scope, duration, and other
>> attributes.  Tokens are issued to third-party clients by an authorization server
>> with the approval of the resource owner.  OAuth defines multiple flows for
>> obtaining a token to support a wide range of client types and user
>> experience.
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-04.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the Internet-
>> Draft.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email