IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of -22

John Bradley <ve7jtb@ve7jtb.com> Wed, 02 November 2011 20:37 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD12611E8122 for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.532
X-Spam-Level:
X-Spam-Status: No, score=-3.532 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oANEo5xCuDsT for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 13:37:28 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0F68B11E80BC for <oauth@ietf.org>; Wed, 2 Nov 2011 13:37:27 -0700 (PDT)
Received: by ggnv1 with SMTP id v1so594278ggn.31 for <oauth@ietf.org>; Wed, 02 Nov 2011 13:37:27 -0700 (PDT)
Received: by 10.236.22.136 with SMTP id t8mr9639130yht.30.1320266247399; Wed, 02 Nov 2011 13:37:27 -0700 (PDT)
Received: from [192.168.1.213] ([190.22.4.104]) by mx.google.com with ESMTPS id v5sm10425403anf.3.2011.11.02.13.37.24 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Nov 2011 13:37:26 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: multipart/signed; boundary="Apple-Mail=_CF6FC7A4-1D67-470A-B242-176C0D3D0248"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 02 Nov 2011 17:37:21 -0300
Message-Id: <F5B0E1D6-2377-4487-8D23-8E55CCABB260@ve7jtb.com>
References: <4E971C36.7050000@cs.tcd.ie> <4EB19DD1.6050904@lodderstedt.net>, <5E3E5DFE-C122-4D89-9578-61A6C16EBD76@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E72345263321025@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 20:37:29 -0000

If the spec requires clients to implement both, the reality is most clients will only impliment one and be non compliant.

Given that openID Connect supports Bearer ONLY.  Requiring clients to support MAC would cause clients to implement code that won't be used.

It is up to the server to decide what formats it will support.  If clients can't talk to the servers they need to then they will support the token format.

I am opposed to making MAC MTI for Server or client.

I don't want to start a token war, there are use cases for both, and perhaps others in the future.

So I think that is a Canadian way of saying no change.

John B.


On 2011-11-02, at 5:11 PM, Eran Hammer-Lahav wrote:

> Do you want to see no change or adjust it to client must implement both, server decides which to use.
>  
> EHL
>  
> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of John Bradley [ve7jtb@ve7jtb.com]
> Sent: Wednesday, November 02, 2011 1:06 PM
> To: Torsten Lodderstedt
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of -22
> 
> +1
> On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
> 
>> Hi Stephen,
>> 
>> I'm concerned about your proposal (7) to make support for MAC a MUST for clients and BEARER a MAY only. In my opinion, this does not reflect the group's consensus. Beside this, the security threat analysis justifies usage of BEARER for nearly all use cases as long as HTTPS (incl. server authentication) can be utilized.
>> regards,
>> Torsten.
>> 
>> Am 13.10.2011 19:13, schrieb Stephen Farrell:
>>> 
>>> 
>>> Hi all, 
>>> 
>>> Sorry for having been quite slow with this, but I had a bunch 
>>> of travel recently. 
>>> 
>>> Anyway, my AD comments on -22 are attached. I think that the 
>>> first list has the ones that need some change before we push 
>>> this out for IETF LC, there might or might not be something 
>>> to change as a result of the 2nd list of questions and the 
>>> rest are really nits can be handled either now or later. 
>>> 
>>> Thanks for all your work on this so far - its nearly there 
>>> IMO and we should be able to get the IETF LC started once 
>>> these few things are dealt with. 
>>> 
>>> Cheers, 
>>> S. 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email