Re: [OAUTH-WG] Reminder: OAuth WG Conference Call, 21st January 2013, 1pm EST
zhou.sujing@zte.com.cn Fri, 18 January 2013 09:24 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6CB421F85D2; Fri, 18 Jan 2013 01:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.972
X-Spam-Level:
X-Spam-Status: No, score=-95.972 tagged_above=-999 required=5 tests=[AWL=2.423, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPzEfsWUsKuZ; Fri, 18 Jan 2013 01:24:07 -0800 (PST)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 4A59421F8931; Fri, 18 Jan 2013 01:24:06 -0800 (PST)
Received: from mse01.zte.com.cn (unknown [10.30.3.20]) by Websense Email Security Gateway with ESMTPS id 31023126F6DB; Fri, 18 Jan 2013 17:26:36 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse01.zte.com.cn with ESMTP id r0I9NEWD033232; Fri, 18 Jan 2013 17:23:14 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <E80A0E6F-7759-451B-8F2B-00193B976A94@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF04977A3C.3107D452-ON48257AF7.0032865D-48257AF7.003394FF@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Fri, 18 Jan 2013 17:22:59 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-01-18 17:23:08, Serialize complete at 2013-01-18 17:23:08
Content-Type: multipart/alternative; boundary="=_alternative 003394FF48257AF7_="
X-MAIL: mse01.zte.com.cn r0I9NEWD033232
Cc: "oauth@ietf.org WG" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Reminder: OAuth WG Conference Call, 21st January 2013, 1pm EST
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2013 09:24:09 -0000
I have some questions concerning the oauth-security document.
1. collusion
Only collusion between resource servers are considered,
however, collusion between resource server and client could happen.
2. AS-to-RS relationship anonymity
if "the Client must not provide information about the Resource Server
in the access token request."
then how AS can encrypt access token using the key shared between AS
and RS?
I feel this requirement is unclear and conflict with some security
measures that might be taken in OAuth 2.0.
3. Compromise of client, RS have been considered (separately)
But the result of their compromise may not be limited to "client
accessing more resources ",
it could be compromised client/RS redirect RO to a manipulated AS
phishing RO's credential, for example.
oauth-bounces@ietf.org 写于 2013-01-17 21:43:26:
> Hi all,
>
> We will have our next OAuth conference call on the 21st January
> 2013, 1pm EST (for roughly one hour).
>
> John & Nat kindly offered their conference bridge. It is the same
> bridge we used before.
> https://www3.gotomeeting.com/join/695548174
>
> We will continue where we stopped last time, namely we stopped our
> discussions at the crypto agility requirement
> (first requirement in http://tools.ietf.org/html/draft-tschofenig-
> oauth-security-01#section-5).
>
> Here is the slide set I used last time:
> http://www.tschofenig.priv.at/OAuth2-Security-11Jan2013.ppt
> (We stopped at slide #2.)
>
> We also did not manage to get to discuss the use case Justin raised
> at the first conference call. He distributed a writeup on the list:
> http://www.ietf.org/mail-archive/web/oauth/current/msg10407.html
>
> Ciao
> Hannes & Derek
>
> PS: I will try to distribute my meeting minute notes from the
> previous call by tomorrow.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Reminder: OAuth WG Conference Call, 21… Hannes Tschofenig
- Re: [OAUTH-WG] Reminder: OAuth WG Conference Call… zhou.sujing
- [OAUTH-WG] Security Requirement -- was Re: Remind… Hannes Tschofenig
- Re: [OAUTH-WG] Security Requirement -- was Re: Re… zhou.sujing