IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 15 July 2013 20:36 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6A821E811E for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 13:36:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.595
X-Spam-Level:
X-Spam-Status: No, score=-102.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tsxutl-Hv3h1 for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 13:36:38 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id A518221E811F for <oauth@ietf.org>; Mon, 15 Jul 2013 13:36:37 -0700 (PDT)
Received: from [172.16.254.104] ([80.92.118.93]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LZiLk-1UI5mR1Lci-00lYt7; Mon, 15 Jul 2013 22:36:35 +0200
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <51E45994.7090708@gmail.com>
Date: Mon, 15 Jul 2013 22:36:32 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A91B5807-A357-4FAA-A5DC-60978E7B7208@gmx.net>
References: <DD60BBE0-5859-4D81-9DA1-EB413FF4BA8E@gmx.net> <51E45994.7090708@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Pgp-Agent: GPGMail 1.4.1
X-Mailer: Apple Mail (2.1085)
X-Provags-ID: V03:K0:8RUDh3M9ksyJut1ZQwNLm/DTWw4il0wu/Ovozg6YZedOP7g2T5I nhp6wdi8mtgFLl5W/b7S/n69jJndIsVWaO3F1T2NEfdATvpDufEKtUkF0qAKaeG0gJ2nJo7 8oBGZGmyvlV2BW+3357k7R77lKXKwjwlnJ6WwSm5jqnpM4uaWsIEzNkz1R4fZKMStH2jcAT 4mFB5wA9bQv/iA3FURWbQ==
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 20:36:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Sergey, 

sorry that I missed your earlier questions. 

On Jul 15, 2013, at 10:20 PM, Sergey Beryozkin wrote:

> Hi Hannes, All,
> 
> Thanks for the update.
> 
> I asked last time but did not get an answer:
> - why the use of access token is mandated to be 'conditional' - if you think I need to read the text more carefully, then please do not hesitate to say so :-), I'll give it a try
> 
The reason is that the keying material associated with the access token may be cached by client and the resource server. Hence, you may not need to send the access token with every request. 

I am working on some examples that will illustrate this nicely. 

> - Reading "Session Key Transport to Resource Server" section makes me nervous. May be I'm missing the point, but I wonder, what happened to that draft which had a chance to go mainstream ? Do editors target a new MAC token at large OAuth2 implementers only ? It appears to me the focus is more on getting JWT more recognized as opposed to making a simple MAC scheme working...I'm sorry if I sound like I've no clue what I'm talking about, but please make this section read such that people can implement the scheme without having to know what JWT or a dynamic introspection mechanism is

In Section 4 we discuss different key distribution mechanisms. There has to be a story for how the session key gets from the Authorization Server securely to the Resource Server. 
Not discussing that topic (like done before) does not make the issue go away and so we describe the options. We will not get through the IETF process without having an answer to that question. 

Hence, the only question is: which key distribution mechanism do you like most? I had asked that question to the group before and the consensus so far was "stick the key in the access token".  This is what Section 4.2 currently describes. 

I am happy to describe that in a better way in the document if you think that the story does not get across well. 

Ciao
Hannes

> 
> Best Regards
> Sergey
> 
> On 15/07/13 18:29, Hannes Tschofenig wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> 
>> Hi all,
>> 
>> we have submitted an update to the MAC token document. From the changes to the previous version you will see that we have incorporated text written during the design team discussions earlier this year into the appendix. I hope that this provides additional background about the threats, use cases, and security requirements. Phil has joined us as a co-author (since he was heavily involved in the work on the incorporated text).
>> 
>> There is, however, still work to be done. The body of the document still needs a lot of work to get the specification to level of detail that we can start the WGLC.
>> 
>> Anyway, here is the updated  document:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac
>> 
>> Ciao
>> Hannes
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> 
>> iQEcBAEBCgAGBQJR5DF6AAoJEGhJURNOOiAtD1YIAKZYojwcZ1H8MqWtvJTv9/81
>> YLIW7kUraNlwUelTRu4WoakYDGmcG8gPHr4LjbVWhhtcSOIHqDsEYeCuEqPTBPbZ
>> Gv5tG7B5SKS7Cn540f5ZVGNsIhGqSdpBpdRau2o8WKlD3HwgOHKeLgBfhF7fkWhc
>> 3xDo2lS3Q6khwPW2VrnP1fpUS2vs2sMq+zWBYwk0+onHcdSVsonF0+gPkg0aaXnO
>> gMZML5KecISt7UHI8r4ZduCkPq1Hhk3Rdp7XW3KOnJRO1DNeShjI20k52sU6Y33Q
>> mmATLQoqyb9ld2gZIspS3w0eGfKkO843ImwTCjtLMHWH50rYGuv0oue5Lf0x0n8=
>> =fDtL
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJR5F1RAAoJEGhJURNOOiAteosIAJx3WPuvRgMLkal1S+8yNYZa
OXkBwDBW9bik0FX683Dw7HFzAoTuGyGuV1mb6oUIsd2NZfBgN4l9Gs24VrUlbndh
MjZRJ9+23NrZd/uVo0t3w3eEdTS0OjKGz8j9AO+gFBFDCtoqTu8CSmbi2hG9v/j0
tn7891snryz77Gg/D1zlkSS4njt0M9Gl5eaMmU5R13p2wbfpL0k2Qqs3XumAeSSO
y/jgCJ4lXaLp2HepdfEvjdYwCM8cOzYJ2vvePJ/39jYNMqifmJfk3hVHcFTP4TM4
ers2hZBe0iTkc0aICmdtwyK0VtFPGGa4XvfHGTWQ+g0hBZxmfLxIY3VGZVun4Q8=
=677/
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email