Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

Bill Mills <wmills_92105@yahoo.com> Mon, 09 March 2015 04:56 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8DF1A1EF6 for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 21:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1eCN8ugkiex for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 21:56:44 -0700 (PDT)
Received: from nm40-vm4.bullet.mail.bf1.yahoo.com (nm40-vm4.bullet.mail.bf1.yahoo.com [72.30.239.212]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F341A1EF4 for <oauth@ietf.org>; Sun, 8 Mar 2015 21:56:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1425877003; bh=kLpPScPtjQCus4O+QIH3MAjkQO7WINmijD7HiNpMMG0=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=NZvj2Gm6QqfxyJn+WJS/fLrpZPWi8UET/Wl6vJE/AbDtihRe0dpDEyluzkyd5OVoJQjoB27ev6g4ufFe3YGyjC1R3UtrjQKj77h/WDTKW1Ca7YpPOZBy/4vZqvs4yg0FRI/8ZsGfc8tPA/+CZQMuhKJJWeTMRuyvEAPa0SwoVLrHdphvocsfPVInnlITB9ddrm0rW7y3IgTrDrBIeRYPnACquD9K0mn8QtItXdTAOIRnnrVSmZRBjI62UmUk3kFAc6wtKlQUZC9r490oM9HqzCpusjnlsRKZp7/drJyiXQjVomQbe4+MIqclR0pSN05X+15dMOanyXA57VvaVwzahA==
Received: from [98.139.215.142] by nm40.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 04:56:43 -0000
Received: from [98.139.212.210] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 04:56:43 -0000
Received: from [127.0.0.1] by omp1019.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 04:56:43 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 69257.69058.bm@omp1019.mail.bf1.yahoo.com
X-YMail-OSG: xRfFdIsVM1kv_FfIbHfHY8X_8Kj.haWpSVg_L1SC8Hv.ZvPjPkk08eF7k.Nyz5M wAX4QmwDBSoK9DupW04diqF6qbLldnCnV5bqkXvs7YrHBUMpuOHyc2__H4PG206RtxCJkSGa7vsr z6BlzaPTkHcxQU8ia080yMf1QjBwrdKrG98yzGROXz_JfTh7X7fObmsFkLFkR52cQDphyVFZ0LNT hPK38srA4Va2i1OzFVChnzvhbJcwdjsik7MvrGfpKjY30ZrC8ieKuREWpj1czgAEIDSLcJrgBw18 TcTi02DVR_3aQhAiQx5GvZQmxH0ysxnN7fv.RTM7t1NFU1V44.3dr_U6kycuUqRpkIXeG7IFVuNH 0rtwkB5oK0qG6sgcCIsQpvkfh9FSobxMf2SddO10zawbv7e6A4w5UQv4itKr2hW4xpx3aA1r3CiH WJgENDLG4PhEK43hFcZwBb9WHW0gtfA5j2CBpPEmMBJIndaHdp8PlGoTkpBpmII7F9C3aPGjJl_H qayEt7C7oikgjBuu_pmDA6y3JpZoKdelWbb5C7KaEnJtg
Received: by 76.13.27.54; Mon, 09 Mar 2015 04:56:42 +0000
Date: Mon, 9 Mar 2015 04:56:42 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <1820766683.1180885.1425877002127.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A366B1364@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A366B1364@xmb-rcd-x10.cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1180884_206826374.1425877002121"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/M6gyPV7MV-1VTGDEsossu6aI4qY>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 04:56:45 -0000

I do not believe making any specific key distribution MTI is aproprpiate. 

     On Sunday, March 8, 2015 8:06 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
   

 Hi Hannes,

http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3 discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism.

In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1 we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled).

Thoughts on which one should be mandatory to implement ?
(This question came up in ISEG review and probably would be a question for proof-of-possession work as well)

Thanks and Regards,
-Tiru

> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Saturday, March 07, 2015 12:30 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
> 
> Hi all,
> 
> does anyone have free cycles to review
> draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way
> that is similar to the proof-of-possession work with a new access token format.
> 
> Ciao
> Hannes
> 
> -------- Forwarded Message --------
> Subject: [saag] tram draft - anyone willing to help out?
> Date: Fri, 06 Mar 2015 15:43:57 +0000
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> To: saag@ietf.org <saag@ietf.org>
> 
> 
> Hiya,
> 
> There's a draft in IESG eval that attracted a bunch of perhaps fundamental
> discusses and comments [1] about its security properties. I think this may be one
> where the authors could do with a bit more help from the security
> mafia^H^H^H^H^Hcommunity.
> (I looked at their wg list and only see a v. thin smattering of names I'd recognise
> from this list.) So if you're willing and have a little time, please let me know
> and/or get in touch with the authors.
> 
> And btw - this might not seem so important but I'd worry it may end up being a
> major source of system level vulnerabilities for WebRTC deployments if we get it
> wrong and many sites don't deploy usefully good security for this bit of the
> WebRTC story.
> 
> Thanks in advance,
> S.
> 
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth