IETF Logo Mail Archive

Re: [OAUTH-WG] Client authentication requirement

Shane B Weeden <sweeden@au1.ibm.com> Thu, 16 June 2011 01:28 UTC

Return-Path: <sweeden@au1.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF09111E8173 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 18:28:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGA5nEZITTNs for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 18:28:54 -0700 (PDT)
Received: from e23smtp01.au.ibm.com (e23smtp01.au.ibm.com [202.81.31.143]) by ietfa.amsl.com (Postfix) with ESMTP id CC2F511E8080 for <oauth@ietf.org>; Wed, 15 Jun 2011 18:28:53 -0700 (PDT)
Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [202.81.31.247]) by e23smtp01.au.ibm.com (8.14.4/8.13.1) with ESMTP id p5G1OSlj026685 for <oauth@ietf.org>; Thu, 16 Jun 2011 11:24:28 +1000
Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p5G1Ribw1523738 for <oauth@ietf.org>; Thu, 16 Jun 2011 11:27:44 +1000
Received: from d23av04.au.ibm.com (loopback [127.0.0.1]) by d23av04.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p5G1SjfU009841 for <oauth@ietf.org>; Thu, 16 Jun 2011 11:28:45 +1000
Received: from d23ml004.au.ibm.com (d23ml004.au.ibm.com [9.190.250.23]) by d23av04.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p5G1SjiL009834; Thu, 16 Jun 2011 11:28:45 +1000
In-Reply-To: <BANLkTinLoG_Dc08rmHagPGP23-jkKHdtJgv_zHkU9DR6fZ_TgQ@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E7234475E986AF7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTi=EAr2oH9JAX4gaEgRqbS-jeU4N-g@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986B88@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTimfjFjuA9dbA7jV63JVTN+YF9i6zcU+2=iMEYHCRgpdnA@mail.gmail.com> <OF8F1316AF.C9515F06-ON4A2578B0.007767CC-4A2578B0.007D8140@au1.ibm.com> <BANLkTinLoG_Dc08rmHagPGP23-jkKHdtJgv_zHkU9DR6fZ_TgQ@mail.gmail.com>
X-KeepSent: 46AAB970:0BDB52D7-4A2578B1:0007709C; type=4; name=$KeepSent
To: Brian Eaton <beaton@google.com>
X-Mailer: Lotus Notes Release 8.5.1FP1 SHF20 February 10, 2010
Message-ID: <OF46AAB970.0BDB52D7-ON4A2578B1.0007709C-4A2578B1.00081C65@au1.ibm.com>
From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Thu, 16 Jun 2011 11:28:35 +1000
X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.1FP4HF290 | June 6, 2011) at 16/06/2011 11:32:09
MIME-Version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client authentication requirement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 01:28:54 -0000

Brian Eaton <beaton@google.com> wrote on 16-06-2011 10:36:18 AM:

> From: Brian Eaton <beaton@google.com>
> To: Shane B Weeden/Australia/IBM@IBMAU
> Cc: OAuth WG <oauth@ietf.org>
> Date: 16-06-11 10:49 AM
> Subject: Re: [OAUTH-WG] Client authentication requirement
>
> On Wed, Jun 15, 2011 at 3:50 PM, Shane B Weeden <sweeden@au1.ibm.com>
wrote:
> Brain - can you elaborate on that a little? Are you suggesting that
clients
> that can't keep secrets use a dummy (notasecret) pwd anyway to satisfy
> "requiring client authentication"?
>
> Or use random secrets.  Whatever floats your boat and keeps your
> product managers happy.  It does not make a practical security
> difference for installed applications.

That is the same thing as not requiring client authentication at all (for
installed applications). Having the spec say client authentication is
REQUIRED for the token endpoint is therefore misleading and nonsensical.

>
> What seems to be missing in the discussion and the security
considerations
> of the spec is a decent list of general and grant-type-specific security
> implications/pros/cons for the system if meaningful client authentication
> at the token endpoint is available or not available.
>
> Yep.

I believe this piece of work would go a long way to settling the disputes
about when/why/if client authentication should be required at the token
endpoint. For example I would like to see attempts to answer this question:
If client authentication is not possible or required at the token endpoint
for native/installed apps, what advantages are gained from requiring it for
clients that can authenticate?

v2.38.3 | Report a Bug | By Email | System Status