Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac
Sergey Beryozkin <sberyozkin@gmail.com> Mon, 15 July 2013 20:21 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1067011E8228 for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 13:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ir9tsGqFhMmd for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 13:20:59 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 7763F11E823F for <oauth@ietf.org>; Mon, 15 Jul 2013 13:20:55 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id m19so10481422wev.36 for <oauth@ietf.org>; Mon, 15 Jul 2013 13:20:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=3rpL/+5W9h/pNX1dXpUyIKaYroKrQ9oRxFP+XBpLvUs=; b=bku+K3jGSIh5AHnRRslSKC3G8UHhJxJkyoricJqQvYxX5r6jSL09fWqGJJ7WgZ4aka 14AMdxbDwDRXi9C5atghnWQwGQHAdmMK+/kORf7BtT9p3BqRtXtdy1wJB/EIC1zx6xeA M1bQGovYTvgbw3mzJBr+WQMBoPvYKOS9Vft9dimz1PdF15aj+etBAE+zEV0ntlqGlWoT fhxZmYz4LL/ODrBaTy7WZMw3Ld1eKwsUvfXowPgTQRfKaD+Gm/IAq0g1n3Wp4etDA8Zh n4hVYLtUwpJbBrhc7LDNnYuJgZnm1cZ+kIXM/B6Qy8gz1YSh2DTt3pl2hX6WPMZMhBIu SzzQ==
X-Received: by 10.180.160.203 with SMTP id xm11mr9834943wib.58.1373919654133; Mon, 15 Jul 2013 13:20:54 -0700 (PDT)
Received: from [192.168.2.5] ([79.97.75.227]) by mx.google.com with ESMTPSA id z6sm23279549wiv.11.2013.07.15.13.20.52 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 15 Jul 2013 13:20:53 -0700 (PDT)
Message-ID: <51E45994.7090708@gmail.com>
Date: Mon, 15 Jul 2013 21:20:36 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: oauth@ietf.org
References: <DD60BBE0-5859-4D81-9DA1-EB413FF4BA8E@gmx.net>
In-Reply-To: <DD60BBE0-5859-4D81-9DA1-EB413FF4BA8E@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 20:21:00 -0000
Hi Hannes, All, Thanks for the update. I asked last time but did not get an answer: - why the use of access token is mandated to be 'conditional' - if you think I need to read the text more carefully, then please do not hesitate to say so :-), I'll give it a try - Reading "Session Key Transport to Resource Server" section makes me nervous. May be I'm missing the point, but I wonder, what happened to that draft which had a chance to go mainstream ? Do editors target a new MAC token at large OAuth2 implementers only ? It appears to me the focus is more on getting JWT more recognized as opposed to making a simple MAC scheme working...I'm sorry if I sound like I've no clue what I'm talking about, but please make this section read such that people can implement the scheme without having to know what JWT or a dynamic introspection mechanism is Best Regards Sergey On 15/07/13 18:29, Hannes Tschofenig wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi all, > > we have submitted an update to the MAC token document. From the changes to the previous version you will see that we have incorporated text written during the design team discussions earlier this year into the appendix. I hope that this provides additional background about the threats, use cases, and security requirements. Phil has joined us as a co-author (since he was heavily involved in the work on the incorporated text). > > There is, however, still work to be done. The body of the document still needs a lot of work to get the specification to level of detail that we can start the WGLC. > > Anyway, here is the updated document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac > > Ciao > Hannes > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQEcBAEBCgAGBQJR5DF6AAoJEGhJURNOOiAtD1YIAKZYojwcZ1H8MqWtvJTv9/81 > YLIW7kUraNlwUelTRu4WoakYDGmcG8gPHr4LjbVWhhtcSOIHqDsEYeCuEqPTBPbZ > Gv5tG7B5SKS7Cn540f5ZVGNsIhGqSdpBpdRau2o8WKlD3HwgOHKeLgBfhF7fkWhc > 3xDo2lS3Q6khwPW2VrnP1fpUS2vs2sMq+zWBYwk0+onHcdSVsonF0+gPkg0aaXnO > gMZML5KecISt7UHI8r4ZduCkPq1Hhk3Rdp7XW3KOnJRO1DNeShjI20k52sU6Y33Q > mmATLQoqyb9ld2gZIspS3w0eGfKkO843ImwTCjtLMHWH50rYGuv0oue5Lf0x0n8= > =fDtL > -----END PGP SIGNATURE----- > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] draft-ietf-oauth-v2-http-mac Hannes Tschofenig
- [OAUTH-WG] draft-ietf-oauth-v2-http-mac Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac Sergey Beryozkin