Re: [OAUTH-WG] MAC Token Comments
"William J. Mills" <wmills@yahoo-inc.com> Fri, 12 August 2011 20:58 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350D811E8087 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 13:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.172
X-Spam-Level:
X-Spam-Status: No, score=-17.172 tagged_above=-999 required=5 tests=[AWL=0.426, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLgGLZbpPKj5 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 13:58:24 -0700 (PDT)
Received: from nm24-vm0.bullet.mail.sp2.yahoo.com (nm24-vm0.bullet.mail.sp2.yahoo.com [98.139.91.226]) by ietfa.amsl.com (Postfix) with SMTP id 506C411E8070 for <oauth@ietf.org>; Fri, 12 Aug 2011 13:58:24 -0700 (PDT)
Received: from [98.139.91.64] by nm24.bullet.mail.sp2.yahoo.com with NNFMP; 12 Aug 2011 20:58:59 -0000
Received: from [98.139.91.42] by tm4.bullet.mail.sp2.yahoo.com with NNFMP; 12 Aug 2011 20:58:59 -0000
Received: from [127.0.0.1] by omp1042.mail.sp2.yahoo.com with NNFMP; 12 Aug 2011 20:58:59 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 863410.42668.bm@omp1042.mail.sp2.yahoo.com
Received: (qmail 32577 invoked by uid 60001); 12 Aug 2011 20:58:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313182739; bh=tIijU85iU+mrVn5UKankbrvNSMombiSdbVt2Gvq+7Ec=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Y7TrmYCvsM7QcQSXHjd2ZqQkwBCqR2lRaEY+PJwKiWu6cYvbT2U4dAGYNi27lFF3JOU0b2hne5PMeipg4l9K0gAAetOtMWmhxqfmdfzhlOKcmNBrL8gn+n2djGrZJPmZv20BDx8tQkfo7xqXac7JzcY0fQrNWo8muEmuu3a/9iM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=lsCEHD91SOsF0Jy5LzAiaK1y6a7s4L0YLhQimcsu1COn9FfCHyBkJlNtSdkE7dH25e1n36lLFq8c6sMxc3MEoAiKgfoaIg6VCHUbICyuN36jvJoeE7u8mLidBwZV0Vb7+hiD2OeaanZK0gc6b1R05jc/iXQI14OoCImfApin8hM=;
X-YMail-OSG: qFlOL.oVM1kOvmlioSwgDVeiV.z12HUdiUxj6BlTRLgEJVS 0ru3tqKiuAoK4aljVI9DUf0oxxzEEMSCwdda9KShk4p_27SRXkwyldI5GNir Ehl_JSEV51051wR.yJuP7S3wp2w8yxbXHM_WujBCn9Lio5sfvSpJqFr2pm_0 8opotVfXjS2iJaGpx3tayR2OpkB_LscyZGlwrlSeZdFEBkq9SScW5PBf52uj Hfoacb_Y2wRIpMesg.MdP9xmx4ZcjRGuRUqqJCGoodssHr_riLw.3U34BP6g _.Kk5fdk6eafSAf1JK.z.wfX25vhz4krleJSu9D.MqWmqAerOl1v6Aw7gVla hclsva035hScXARPdjQSM9B3pczj5rZ79_9MSnPsDCH0pEKW0HJMsTU7rmk4 HGdjhBmly2UCz.eTOuJqEEnPX.o_sWQYKsV6uLjMVTRA-
Received: from [209.131.62.115] by web31810.mail.mud.yahoo.com via HTTP; Fri, 12 Aug 2011 13:58:59 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <1313174628.22073.135.camel@ground> <1313176250.95956.YahooMailNeo@web31808.mail.mud.yahoo.com>
Message-ID: <1313182739.32560.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Fri, 12 Aug 2011 13:58:59 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Justin Richer <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <1313176250.95956.YahooMailNeo@web31808.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1022750261-1313182739=:32560"
Cc: "Anganes, Amanda L" <aanganes@mitre.org>
Subject: Re: [OAUTH-WG] MAC Token Comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 20:58:25 -0000
I'll take a swag and your comment on #5. Based on the current abstract of the OAuth 2.0 spec The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Which I find somewhat obtuse, how about: The OAuth 2.0 authorization protocol provides an authentication framework supporting multiple HTTP authorization schemes. This allows a user to grant (limited) HTTP service access to an application on behalf of the user or to a third party application to use on it's own behalf. The Bearer token spec, for example, could include that text and state it is an authorization scheme usable within the OAuth 2 framework. -bill ________________________________ From: Justin Richer <jricher@mitre.org> To: "oauth@ietf.org" <oauth@ietf.org> Cc: "Anganes, Amanda L" <aanganes@mitre.org> Sent: Friday, August 12, 2011 11:43 AM Subject: [OAUTH-WG] MAC Token Comments 2: MAC Key: "The server MUST NOT reissue a previously issued MAC key and MAC key identifier combination." 3: I would still like to see a binding for post body and url parameters. This could be as simple as defining a set of parameter names for everything used in the auth header, but I'm still given the impression that this has been deemed outside the scope of the MAC token. Our use case is to pass around signed URLs between servers with all query parameters protected by the signature, which we use 2-legged OAuth 1.0 for today. We can try to get language for this together if there's enough draw for it, but I haven't been hearing that from other folks yet so we might just try to draft an extension to the extension, instead. 5: This section's wording should be brought more in line with the descriptions of the OAuth protocol in both core and bearer, which in turn should actually be a bit closer together themselves. Seems like we need a succinct elevator pitch for "what is OAuth2" to drop into all of these locations (and other extension specs) -- anybody want to take a crack at distilling one from these three sources? 7.9: Grammar tweak: "Those designing additional methods should evaluate the compatibility of the normalized request string with their own security requirements." -- Justin Richer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MAC Token Comments Justin Richer
- Re: [OAUTH-WG] MAC Token Comments William J. Mills
- Re: [OAUTH-WG] MAC Token Comments William Mills
- Re: [OAUTH-WG] MAC Token Comments Eran Hammer-Lahav