Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

Bill Mills <wmills_92105@yahoo.com> Mon, 09 March 2015 05:39 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5399F1A6EF1 for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:39:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyeaZ-q33rHd for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:39:41 -0700 (PDT)
Received: from nm7.bullet.mail.bf1.yahoo.com (nm7.bullet.mail.bf1.yahoo.com [98.139.212.166]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEAA71A6FF7 for <oauth@ietf.org>; Sun, 8 Mar 2015 22:39:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1425879580; bh=sSqV4rrYYyDkykPShD74AAsrPtCtcH/VzCff9nr2ESc=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=B/aIsEU12jfTmZBfrK2yj5qOBMX9NIY/GcC/mt1loZunynWAanQeOLm8pOlxrPi/tYFdhQ9GSGEwg5BQjk9cwWflwqrcDWTaQ+AWTGxV502bNbAzo1S672AWSOZ+r6NOJpAjFW3ljxHPJtv4GOHC5hU5jcboPCIuTKAyJSx8QtCNyN83ea2Y5k8gChOP+6L2p22XOAWnomvSVccUIzuFKlsmvSIb4ZnMYBAUBIB1VpbDW62V7jJ2zyXVeV49vYumK4NLNLzs18Cg5Ps0CpeY5r7cBnBOk4yCdcpjRJ0FOUF9UCnWkxoPIh2EEsH0QI9YR2/XGU7VGzCot51pDuTg/Q==
Received: from [66.196.81.173] by nm7.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 05:39:40 -0000
Received: from [98.139.212.213] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 05:39:40 -0000
Received: from [127.0.0.1] by omp1022.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 05:39:40 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 110214.40113.bm@omp1022.mail.bf1.yahoo.com
X-YMail-OSG: gpD3_j4VM1nSHmRF9JNWB058nQ4fAIynDLOCisGIpsfktzI3K4TSavvwMENlfz2 hMuJ7kaBJpN0nam7vC8QCejNgx8VWKk2TLTWOxi9Yiv4L6cSzDceQV.ySV1Q9akVA7rxuTqBt9uk DnQofqkXr0_2HLrtGuSMq50rb9oN8421Qhpk7EphafkkcQLomSGDqjWKVXj5_cGZLEbDi1w59XHv Xohn0Rpoey4g0bDi8nmi9B4wl1fETl21MGv3RuzSDsJtb5AEkzMEj031MDKlTYhdvVyDkTvg.4E4 Dea_rFizloiP2wqcmRvXKgUW0l1Mp.BRyPhxV2m0QtJ6wZloxU_aDbpaoYZPEho.xj1GsU1S11iy NTy2d1Aq8vlGf.aJc0o.AONLlivwQMR5O6KLGXHl9r7Ny_9X4ic3Qxp4U3YqVItaKEkh5lg0FM6y .fjwrF_2bA_B3gC2na5Fd5.CrUNIzRji96djf7lMdsY2VHwH8Gj6I4F1vn0d3ZhvziL839oWMn_2 RCdxTMjtBh5wPEjR5LbhGxqj3Ya8.tRpdiWYiHKUNfM84
Received: by 76.13.26.137; Mon, 09 Mar 2015 05:39:39 +0000
Date: Mon, 9 Mar 2015 05:39:39 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <370734452.1179117.1425879579160.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A366B14BD@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A366B14BD@xmb-rcd-x10.cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1179116_1569807263.1425879579148"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Id6EoSczHw6lv_8ZlCJG71OH09U>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 05:39:43 -0000

Explain to me why there should be one other than the desire to over-specify?  Why is one so clearly superior to any of the various possibilities that it should be mandated?
I do not think that there is any clearly superior mechanism and so making any particular one MTI is pointless and just likely to cause perfectly good implementations to be out of spec. 

     On Sunday, March 8, 2015 10:24 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
   

 #yiv3556672566 #yiv3556672566 -- _filtered #yiv3556672566 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv3556672566 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv3556672566 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv3556672566 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv3556672566 #yiv3556672566 p.yiv3556672566MsoNormal, #yiv3556672566 li.yiv3556672566MsoNormal, #yiv3556672566 div.yiv3556672566MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv3556672566 a:link, #yiv3556672566 span.yiv3556672566MsoHyperlink {color:blue;text-decoration:underline;}#yiv3556672566 a:visited, #yiv3556672566 span.yiv3556672566MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv3556672566 span.yiv3556672566EmailStyle17 {color:#1F497D;}#yiv3556672566 .yiv3556672566MsoChpDefault {} _filtered #yiv3556672566 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv3556672566 div.yiv3556672566WordSection1 {}#yiv3556672566 Hi Bill,    Can you please provide more details why mandating specific key distribution mechanism is not appropriate especially in case of loosely coupled systems ?    -Tiru    From: Bill Mills [mailto:wmills_92105@yahoo.com]
Sent: Monday, March 09, 2015 10:27 AM
To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?    I do not believe making any specific key distribution MTI is aproprpiate.    On Sunday, March 8, 2015 8:06 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:    Hi Hannes,

http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism.

In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled).

Thoughts on which one should be mandatory to implement ?
(This question came up in ISEG review and probably would be a question for proof-of-possession work as well)

Thanks and Regards,
-Tiru 
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Saturday, March 07, 2015 12:30 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
> 
> Hi all,
> 
> does anyone have free cycles to review
> draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way
> that is similar to the proof-of-possession work with a new access token format.
> 
> Ciao
> Hannes
> 
> -------- Forwarded Message --------
> Subject: [saag] tram draft - anyone willing to help out?
> Date: Fri, 06 Mar 2015 15:43:57 +0000
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> To: saag@ietf.org <saag@ietf.org>
> 
> 
> Hiya,
> 
> There's a draft in IESG eval that attracted a bunch of perhaps fundamental
> discusses and comments [1] about its security properties. I think this may be one
> where the authors could do with a bit more help from the security
> mafia^H^H^H^H^Hcommunity.
> (I looked at their wg list and only see a v. thin smattering of names I'd recognise
> from this list.) So if you're willing and have a little time, please let me know
> and/or get in touch with the authors.
> 
> And btw - this might not seem so important but I'd worry it may end up being a
> major source of system level vulnerabilities for WebRTC deployments if we get it
> wrong and many sites don't deploy usefully good security for this bit of the
> WebRTC story.
> 
> Thanks in advance,
> S.
> 
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth