IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 13 July 2010 20:46 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 327033A69A5 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:46:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.464
X-Spam-Level:
X-Spam-Status: No, score=-2.464 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zxlbt4m1jYrh for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:46:11 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A75EB3A69BF for <oauth@ietf.org>; Tue, 13 Jul 2010 13:46:11 -0700 (PDT)
Received: (qmail 9186 invoked from network); 13 Jul 2010 20:46:20 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 13 Jul 2010 20:46:20 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 13 Jul 2010 13:46:19 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>, Blaine Cook <romeda@gmail.com>
Date: Tue, 13 Jul 2010 13:46:17 -0700
Thread-Topic: [OAUTH-WG] "shared symmetric secret"
Thread-Index: Acsiyu7HZ2fLTWAQRXuV5Ao9joVL7QAAYHwY
Message-ID: <C8621EA9.371F2%eran@hueniverse.com>
In-Reply-To: <AANLkTimCOZs-VlhX-pyhUUa5rdIsnUEDgSNZX5MprQRs@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8621EA9371F2eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 20:46:15 -0000

I'll work with this text.

EHL


On 7/13/10 1:35 PM, "Brian Eaton" <beaton@google.com> wrote:

On Tue, Jul 13, 2010 at 1:06 PM, Blaine Cook <romeda@gmail.com> wrote:
> Don't leak it, and treat it as though it were a
> password", then we avoid having to explain (embarrassingly) that the
> "capability" actually meant something like "password".

For the initiated, that's what "capability" means.

How about this language

"Access tokens are bearer authentication tokens, such as passwords or
capabilities."

I'd encourage the use of the word "capability" because a lot of the
use cases that OAuth 2 enables over OAuth 1 involve using the token
like a capability, sharing it across multiple components to convey
authorization.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.40.3 | Report a Bug | By Email | System Status