Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt
David Recordon <recordond@gmail.com> Wed, 12 May 2010 06:30 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 637583A6AD8 for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.352, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aWfLCFulZ4o for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:30:03 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id D2DDE3A6AF0 for <oauth@ietf.org>; Tue, 11 May 2010 23:30:02 -0700 (PDT)
Received: by gyh4 with SMTP id 4so3352094gyh.31 for <oauth@ietf.org>; Tue, 11 May 2010 23:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=crmCZ/95RsWI7P20FCwD4uPsETdkpJTn+gdPdLzo9vE=; b=TdyhW6AVatqbHqnD3Cxu3I0YgIoN8hPrw3bvgg0PkCUXZ/vGH/wrbNEUI0mIHX2rG+ NFkCd5LhFABdMnjoxaQvTWGCFuOHFYvsjLwHB/DVk/f5cD7Wvyg34pWJQu/DCnHwnrbK huVMGCDTHI91sObpd6qS3gQXxWrJyaJwQtNYk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=uQiK0motDBhYWmZsoEBjt5ChqOrAZhaEloxXEYcBoIQSi6y75lb+s2VFTqqRWF7SOq M4b2AdJuvDH/hcA/YY5cYgZIykPgdjZhRj1OCH2xHP6j26IQ8PEfwfGn4VbCVt6zCoBf jXeoCBKHvxJGSPPbg3iNjnKSrWbb0bXogZnE4=
MIME-Version: 1.0
Received: by 10.101.182.34 with SMTP id j34mr3519218anp.262.1273645789722; Tue, 11 May 2010 23:29:49 -0700 (PDT)
Received: by 10.100.248.11 with HTTP; Tue, 11 May 2010 23:29:49 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB474C9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <20100510054516.2957E3A6B0C@core3.amsl.com> <98B37F7D0484184B9DBDCC44B6C8EDA3049F9EDF@S4DE9JSAAID.ost.t-com.de> <90C41DD21FB7C64BB94121FBBC2E72343B3AB474C9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 11 May 2010 23:29:49 -0700
Message-ID: <AANLkTinTq_5R0gFqCM3Ctj5elpAjO3vA87WCGZhdrfOF@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: "Axel.Nennker@telekom.de" <Axel.Nennker@telekom.de>, Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 06:30:04 -0000
Yes, the Client authenticating using a RSA key pair seems like it should be a different flow. On Tue, May 11, 2010 at 11:25 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > But it is not beyond the scope. We define a parameter just for that called client_secret. If you want to use something else, you need to define an extension that replaces that with something else. > > EHL > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Axel.Nennker@telekom.de >> Sent: Tuesday, May 11, 2010 11:22 PM >> To: oauth@ietf.org >> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt >> >> I suggest a change to >> >> "3.4. Client Credentials >> >> When requesting access from the authorization server, the client >> identifies itself using a set of client credentials. The client >> credentials include a client identifier and an OPTIONAL symmetric >> shared secret. The means through which the client obtains these >> credentials are beyond the scope of this specification, but usually >> involve registration with the authorization server." >> >> I don't like the "symmetric shared secret" and would like this to be "beyond >> the scope of this spec". >> >> I suggest to change that paragraph e.g. to: >> >> "3.4. Client Credentials >> >> When requesting access from the authorization server, the client >> authenticates itself using its credentials. The type of credentials >> is beyond the scope of this specification. The means through which >> the client obtains these credentials are beyond the scope of this >> specification, but usually involve registration with the >> authorization server." >> >> -Axel >> >> Ps. >> If the client has an e.g. RSA-keypair then it could use the private key to sign >> the request and thereby authenticate itself. >> The public key would need to be exchanged before out-of-band. Or it could >> be a certificate that is e.g. issued by the authorization server or a party that >> the authorization server trusts. >> >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Internet-Drafts@ietf.org >> Sent: Monday, May 10, 2010 7:45 AM >> To: i-d-announce@ietf.org >> Cc: oauth@ietf.org >> Subject: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Open Authentication Protocol Working Group >> of the IETF. >> >> >> Title : The OAuth 2.0 Protocol >> Author(s) : E. Hammer-Lahav, et al. >> Filename : draft-ietf-oauth-v2-04.txt >> Pages : 51 >> Date : 2010-05-09 >> >> This specification describes the OAuth 2.0 protocol. OAuth provides a >> method for making authenticated HTTP requests using a token - an identifier >> used to denote an access grant with specific scope, duration, and other >> attributes. Tokens are issued to third-party clients by an authorization server >> with the approval of the resource owner. OAuth defines multiple flows for >> obtaining a token to support a wide range of client types and user >> experience. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-04.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the Internet- >> Draft. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.txt Internet-Drafts
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Paul Madsen
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Marius Scurtescu
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Paul Madsen
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Marius Scurtescu
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Paul Madsen
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Marius Scurtescu
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Axel.Nennker
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Axel.Nennker
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Eran Hammer-Lahav
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… David Recordon
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Axel.Nennker
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Axel.Nennker
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Eran Hammer-Lahav
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Paul Madsen
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Eran Hammer-Lahav
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Prateek Mishra
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Eran Hammer-Lahav
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Robert Sayre
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Eran Hammer-Lahav
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Robert Sayre
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-04.… Robert Sayre