IETF Logo Mail Archive

Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)

Hannes Tschofenig <hannes.tschofenig@nsn.com> Thu, 28 October 2010 11:02 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF4693A67E1 for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 04:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.463
X-Spam-Level:
X-Spam-Status: No, score=-102.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kH1ZlVgswmDb for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 04:02:54 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by core3.amsl.com (Postfix) with ESMTP id 776083A683C for <oauth@ietf.org>; Thu, 28 Oct 2010 04:02:53 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id o9SB4gXU027011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Oct 2010 13:04:42 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id o9SB4ght017382; Thu, 28 Oct 2010 13:04:42 +0200
Received: from FIESEXC015.nsn-intra.net ([10.159.0.23]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 28 Oct 2010 13:04:42 +0200
Received: from 10.144.244.103 ([10.144.244.103]) by FIESEXC015.nsn-intra.net ([10.159.0.28]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Thu, 28 Oct 2010 11:04:41 +0000
User-Agent: Microsoft-Entourage/12.27.0.100910
Date: Thu, 28 Oct 2010 14:04:35 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: "ext Freeman, Tim" <tim.freeman@hp.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <C8EF3373.2679%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
Thread-Index: AQHLazd3pTJ/WW6MjUa2saVGmJKCG5NVNKoA///jsGCAAAIRoIABLvUp
In-Reply-To: <59DD1BA8FD3C0F4C90771C18F2B5B53A653ACE4C0B@GVW0432EXB.americas.hpqcorp.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 28 Oct 2010 11:04:42.0144 (UTC) FILETIME=[EBF73A00:01CB768F]
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 11:02:56 -0000

Hey Tim, 

Earlier this year we had discussions around use cases but they did not lead
to more insight. 

There is a document in the draft repository that talks about use cases,
namely 
http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/
But it had never gotten a lot of attention on the list. (I don't know why.)

Efforts to reach out to the Kantara UMA group for more sophisticated uses
cases that motivate some security mechanisms have not produced anything
either. (I believe the reason was that the scenarios focused on the
user-experience aspect rather than on security differences.)

If you look at the draft that Blaine and I put together recently (see
http://datatracker.ietf.org/doc/draft-tschofenig-oauth-signature-thoughts/
) then you will notice that from a security point of view there is very
little difference between using message signing on the HTTP layer and using
TLS with respect to a certain class of security threats.

In our recommendation we actually suggest to  recommend to go for the HTTP
layer security because we are worried that ***operational*** aspects will go
wrong in deployments.

While I was convinced initially that looking at the use cases will get us
further on the security questions it actually does not.

Ciao
Hannes

PS: Btw, your feedback on the security draft would be of interest to us.


On 10/27/10 9:09 PM, "ext Freeman, Tim" <tim.freeman@hp.com> wrote:

> On the face of it, it seems that discussion of whether and how to split the
> document has derailed collection of use cases.  If we had consensus on a list
> of use cases, that would mean we have identified the problems we're trying to
> solve.  This would still allow slimy political manipulation of the process by
> manipulating the use case list, but that would be progress.  It's better to
> have a protocol that solves a politically-defined set of problems than to have
> a politically-defined protocol that solves no identified problem.

v2.23.0 | Report a Bug | By Email