Re: [OAUTH-WG] Not requiring client registration
Francisco Corella <fcorella@pomcor.com> Thu, 23 September 2010 16:15 UTC
Return-Path: <fcorella@pomcor.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C2533A6AC0 for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 09:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.184
X-Spam-Level:
X-Spam-Status: No, score=-0.184 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYiYuA0Yg2Tu for <oauth@core3.amsl.com>; Thu, 23 Sep 2010 09:15:46 -0700 (PDT)
Received: from n6.bullet.re3.yahoo.com (n6.bullet.re3.yahoo.com [68.142.237.91]) by core3.amsl.com (Postfix) with SMTP id 2EE1A3A698F for <oauth@ietf.org>; Thu, 23 Sep 2010 09:15:46 -0700 (PDT)
Received: from [68.142.237.90] by n6.bullet.re3.yahoo.com with NNFMP; 23 Sep 2010 16:16:13 -0000
Received: from [66.196.114.73] by t6.bullet.re3.yahoo.com with NNFMP; 23 Sep 2010 16:16:12 -0000
Received: from [127.0.0.1] by omp302.mail.re3.yahoo.com with NNFMP; 23 Sep 2010 16:16:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 166270.51063.bm@omp302.mail.re3.yahoo.com
Received: (qmail 93743 invoked by uid 60001); 23 Sep 2010 16:16:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1285258572; bh=JJdQBCE0SmSUbLAhOFan/e/sSGOxYVyvcKUE/LaKkBw=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=ZzCL54mvtjEQFzZ23lzU6qlyIj/jsjBrP9M3j0iyBpeV9N0KJW4/CuSKaLfsSEPkIrUnOyEF7NEegRspgkz9Oy6BhrsGXoR7n5I9vCXcraQ0flmTBooc2XTI6TApNhDhCQBb2WmEiYwOdlt6ibvgrj7y9FJrmN1BUoaBOtbtsIs=
Message-ID: <943722.89186.qm@web55803.mail.re3.yahoo.com>
X-YMail-OSG: DJDrk8cVM1n2Nd5RFAYCMqYB6X8cgtCWToxRUxIXT7vO7Sb vnuDAcLTYXlWrskKFV9iEL1tk3tFoY09AORgHOGLpzX6LwPKOhuGYKu_iJSE fIgepu6SgtHidNG.AFLstVl9zVfdrR4F3pWct.r8mvZCiiT5CQwptSBa3XPZ c9R.LHQuUoquZ7arSNuwIKqjHw_9zd8v7NNOC25AY2_qVhbsc1dcVzFeIj3Z YfkvFMbuu.SycupTi18GMBz.4.e6vCQmPQjBFZW_7IPjomZ0dTTgCwNVvTvf mgRNqSSlEnlclzTSbad6Ku2nL3625a1yuXAgprWwP749r.MBB_JFJiZs2rcU NGVGBJ1V.3xe6frhv32aKrGE-
Received: from [67.91.91.101] by web55803.mail.re3.yahoo.com via HTTP; Thu, 23 Sep 2010 09:16:11 PDT
X-RocketYMMF: francisco_corella
X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.105.279950
Date: Thu, 23 Sep 2010 09:16:11 -0700
From: Francisco Corella <fcorella@pomcor.com>
To: oauth@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1624064356-1285258571=:89186"
Subject: Re: [OAUTH-WG] Not requiring client registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: fcorella@pomcor.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 16:15:49 -0000
I forgot to acknowledge in my previous message that the work that let to the proposal was supported by NSF grant IIP-1013594. --- On Thu, 9/23/10, Francisco Corella <fcorella@pomcor.com> wrote: From: Francisco Corella <fcorella@pomcor.com> Subject: Not requiring client registration To: oauth@ietf.org Date: Thursday, September 23, 2010, 3:31 AM Hello, I'm new to the list. I've signed up to propose a simple improvement that would avoid the need for the OAuth client to register with the resource server. Registration may seem necessary because it provides information that the resource server can use to tell the user what client is requesting a resource. But there are alternatives: in the solution I describe below, the resource server describes the client to the user using information contained in an ordinary TLS server certificate presented by the OAuth client during an ordinary TLS handshake. Eliminating the need for registration would have many benefits. Consider the photo sharing/printing example of the Internet draft, and assume that there is a standard Web API that printing services can use to access photo sharing services. (Is there such a thing? If not there will no doubt be one in the future.) A new photo sharing service would benefit because its users could use any printing service, and because it would not have to implement and maintain a registration service. A photo printing service would benefit because it could print photos from any photo sharing service implementing the standard API, without having to register or even be aware of the existence of the photo sharing service. (The user would provide the url of the sharing service.) And a user would benefit by being less constrained in her choice of photo-sharing-and-printing solutions. Here is the proposal. I assume that the OAuth client runs in a web server ("web server profile"). The user asks the OAuth client to access a resource on its behalf. The OAuth client redirects the user-agent to the resource server, but instead of including a client identifier in the redirection url, it includes a url pointing to a web server owned by the OAuth client, from which the resource server downloads a self-signed TLS client certificate that the OAuth client will later use for authentication in a TLS handshake. This url is an https url, and the resource server obtains the OAuth client's server certificate during the TLS handshake. (Note: the OAuth client has two certificates, a TLS client certificate and a TLS server certificate. A single dual-purpose certificate could play both roles, but I don't see an advantage to this.) The resource server asks permission from the user to provide the resource to the OAuth client, describing the Oauth client to the user based on the information included the server certificate, and perhaps telling the user what CA backs the server certificate. Assume the user grants permission. The resource server stores the OAuth client's self-signed client certificate, pairing it with an authorization code, and places the authorization code in a redirection url that redirects the user-agent back to the OAuth client. The OAuth client uses the authorization code to request the resource over a TLS connection, in which it authenticates itself using the self-signed client certificate. The resource server verifies the self-signed client certificate by checking that it had earlier stored it, paired with the authorization code. Does this make sense? Francisco --- Francisco Corella CEO, Pomcor fcorella at pomcor dot com
- Re: [OAUTH-WG] Not requiring client registration Francisco Corella