IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Phil Hunt <phil.hunt@oracle.com> Wed, 16 February 2011 17:00 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D28AD3A6CD0 for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:00:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.482
X-Spam-Level:
X-Spam-Status: No, score=-6.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cnY0ZDtvLlB8 for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:00:17 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 2B4B33A6EA5 for <oauth@ietf.org>; Wed, 16 Feb 2011 09:00:17 -0800 (PST)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p1GH0eri026584 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 16 Feb 2011 17:00:42 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id p1GEnU2L023467; Wed, 16 Feb 2011 17:00:38 GMT
Received: from abhmt001.oracle.com by acsmt355.oracle.com with ESMTP id 1060469091297875636; Wed, 16 Feb 2011 09:00:36 -0800
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 16 Feb 2011 09:00:35 -0800
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A91D3ED3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 16 Feb 2011 09:00:32 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <316BD51B-625D-49B2-9DB8-3368C8A01E29@oracle.com>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3ED3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
X-Source-IP: acsmt355.oracle.com [141.146.40.155]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090205.4D5C02B7.0201:SCFMA4539814,ss=1,fgs=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 17:00:20 -0000

Re: 4.3. This could be something to put in security considerations.  Since there will be reasonable cases where for example a password hash is retained.  And as indicated by Eran, this is a best practice rather then an inter-op issue.

Phil
phil.hunt@oracle.com




On 2011-02-16, at 8:34 AM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>> Sent: Wednesday, January 26, 2011 12:09 PM
> 
>> - 4.3. Resource Owner Password Credentials. The 3rd paragraph states that
>> the client MUST discard the credentials once it obtains an access token. I
>> think it SHOULD discard once it obtains a *refresh* token.
> 
> Since this MUST cannot be confirmed, it serves as a community educational tool more than anything else. I rather leave it without conditions.
> 
>> - 4.5. Extensions. For new grant types, we are not using a registry. Is that OK?
> 
> No need. The registry is only to prevent name collisions and since we are using URIs, they already have built-in namespaces.
> 
>> - 5.2. Error Response. The fist part of the first paragraph talks about 401 and
>> client credentials in the Authorization header. Since this was dropped from
>> core, this looks strange.
> 
> This is specific to client authentication, not grant verification or protected resources. I'll clarify.
> 
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email