Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme

William Mills <wmills@yahoo-inc.com> Thu, 17 November 2011 16:22 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D76F11E8184 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 08:22:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.08
X-Spam-Level:
X-Spam-Status: No, score=-17.08 tagged_above=-999 required=5 tests=[AWL=0.518, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guKf47SPr9Ry for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 08:22:14 -0800 (PST)
Received: from nm10-vm0.bullet.mail.bf1.yahoo.com (nm10-vm0.bullet.mail.bf1.yahoo.com [98.139.213.147]) by ietfa.amsl.com (Postfix) with SMTP id 7A9A511E817C for <oauth@ietf.org>; Thu, 17 Nov 2011 08:22:14 -0800 (PST)
Received: from [98.139.212.151] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000
Received: from [98.139.212.249] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000
Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 17 Nov 2011 16:22:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 336421.92128.bm@omp1058.mail.bf1.yahoo.com
Received: (qmail 69223 invoked by uid 60001); 17 Nov 2011 16:22:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1321546927; bh=DGMjjp9tpNdHrXrq9xeYXSTcLTHLLbio4ekAtknTV5Y=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=X+MM+J9jl2dT0kELvIGNbTMyNZz+p3B0v06PE/xjJoCmtoqpmZPlrIOwEHyntSiIS3r98SNL/wdZRUICUp5aGPGREJQjBqNHfiNVhpWaUg4pExf4IZ+N/mOM6XbQS29429z7CGsCgVyjIFH0lHJ8+0XZPNldc7G57g+2j4dT3tw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=aE3u5IOi0clDKdAIxISMA5QUAewkMaM0rLfGkjASR8yiYt4ckHG+UCOZ6IIp+fhqC8wabWb7AV5FEpp8lU9SqtgQDtX0YhWHQgPAYDEj9McGMEK/gk1iO8de2LGYFgZEVjvvjZnnSMBtM8iWGHsehHfz6abn2GjNdArqPem02EQ=;
X-YMail-OSG: .BBhFt8VM1mvR5L6KLckKayMRojDb4yjGBGyKHLTIGWuDKZ AA0tbbgzprRkWRI452LnImY2bMK3u3LZHBwAtd8.gghheKHyWoNt0acbJa7J NJSxth.J7Wr85FpA4Rdq5K1FTw1.KUo1dQhe28QAt6obUN.tbNa.L9bASRtB Jdt8VfGbVABXsNnR3LfNhoJEXWBuzBDy.nF_H1QizDvI3T6r9q8STT0hAxvg 9XWZ8czdrghMD01siYRpZmbrkMC.Dx3inTanmuwuwFsGRkcVmKE.E_y2Qwg4 IXjfXInsNqMyyyepFn7kb5b4nTNtNLiOUJp0LiDnw0CxnWxv7SS2uEjbw0jc XI1s5SKCGjuI1Qk_Q4fC.QEujI3HlSRc31Ar9QnIAOajrARcfSwqolv63BYZ YjLHv43t5C757
Received: from [99.31.212.42] by web31809.mail.mud.yahoo.com via HTTP; Thu, 17 Nov 2011 08:22:07 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.331203
References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com>
Message-ID: <1321546927.30880.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Thu, 17 Nov 2011 08:22:07 -0800
From: William Mills <wmills@yahoo-inc.com>
To: oauth WG <oauth@ietf.org>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1395015409-1611526563-1321546927=:30880"
Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 16:22:15 -0000

> 1. Should we specify some token type as mandatory to implement?  Why or why not (*briefly*)?


Briefly... No.  Because it doesn't actually solve the whole problem and mandates a particular security model.  


Not so briefly....  


It tries to solve the client-to-server interoperability by ensuring that there is a supported auth type, but in fact it will mandate a security model which is something the core spec has specifically avoided.  Signed tokens (MAC etc.)  and bearer type tokens (Bearer, JWT, etc.) are different in their security characteristics.

It also does not solve at all the problem of token compatibility, which is somehting the auth and protected service endpoints have to agree on within a realm.  It is difficult to justify that there has to be realm to realm compatibility.


What we actually need to support as MTI is that the clients can discover what authentication schemes are supported for the endpoints they want to access and select a method they support.  This is very much in the SSL model of choosing key exchange and cipher suites.

-bill


-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Barry Leiba
Sent: Thursday, November 17, 2011 12:29 AM
To: oauth WG
Subject: [OAUTH-WG] Mandatory-to-implement token type

Stephen, as AD, brought up the question of mandatory-to-implement token types, in the IETF 82 meeting.  There was some extended discussion on the point:

- Stephen is firm in his belief that it's necessary for interoperability.  He notes that mandatory to *implement* is not the same as mandatory to *use*.
- Several participants believe that without a mechanism for requesting or negotiating a token type, there is no value in having any type be mandatory to implement.

Stephen is happy to continue the discussion on the list, and make his point clear.  In any case, there was clear consensus in the room that we *should* specify a mandatory-to-implement type, and that that type be bearer tokens.  This would be specified in the base document, and would make a normative reference from the base doc to the bearer token doc.

We need to confirm that consensus on the mailing list, so this starts the discussion.  Let's work on resolving this over the next week or so, and moving forward:

1. Should we specify some token type as mandatory to implement?  Why or why not (*briefly*)?

2. If we do specify one, which token type should it be?

Barry, as chair
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth