Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Wed, 29 September 2010 07:55 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 320883A6B23; Wed, 29 Sep 2010 00:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgzTSk5KghKx; Wed, 29 Sep 2010 00:55:21 -0700 (PDT)
Received: from mtagate3.uk.ibm.com (mtagate3.uk.ibm.com [194.196.100.163]) by core3.amsl.com (Postfix) with ESMTP id CADE63A6C3F; Wed, 29 Sep 2010 00:55:20 -0700 (PDT)
Received: from d06nrmr1507.portsmouth.uk.ibm.com (d06nrmr1507.portsmouth.uk.ibm.com [9.149.38.233]) by mtagate3.uk.ibm.com (8.13.1/8.13.1) with ESMTP id o8T7u2Em020383; Wed, 29 Sep 2010 07:56:02 GMT
Received: from d06av05.portsmouth.uk.ibm.com (d06av05.portsmouth.uk.ibm.com [9.149.37.229]) by d06nrmr1507.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o8T7u2p73158250; Wed, 29 Sep 2010 08:56:02 +0100
Received: from d06av05.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av05.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id o8T7u2E4018872; Wed, 29 Sep 2010 01:56:02 -0600
Received: from d06ml093.portsmouth.uk.ibm.com (d06ml093.portsmouth.uk.ibm.com [9.149.104.171]) by d06av05.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id o8T7u1Xq018867; Wed, 29 Sep 2010 01:56:02 -0600
In-Reply-To: <BE4113B3-D849-4BA1-B8FC-975C636D1303@gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB5BE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BE4113B3-D849-4BA1-B8FC-975C636D1303@gmail.com>
X-KeepSent: 4576070A:5F974BC0-802577AD:002AB50B; type=4; name=$KeepSent
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Lotus Notes Release 8.5.1 September 28, 2009
Message-ID: <OF4576070A.5F974BC0-ON802577AD.002AB50B-802577AD.002B9415@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Wed, 29 Sep 2010 08:55:26 +0100
X-MIMETrack: Serialize by Router on D06ML093/06/M/IBM(Release 8.0.2FP6|July 15, 2010) at 29/09/2010 08:55:28
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Cc: "OAuth WG \(oauth@ietf.org\)" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 07:55:22 -0000

I echo Dick's sentiment, mildly

-1 to splitting acquiring and using a token. It may not confuse people
actively engaged in the WG but what about everyone else?

Also, as Torsten and I look at security considerations, I wonder if there
are some examples that link the threat model for acquiring a token and
using a token.  So:

1) Will the decisions a service provider make when granting a token depend
on, or affect, the use case for using that token?
2) Will the use case, grant type or other flow parameters a client selects
for acquiring a token, depend on how they will use that token?

I don't have concrete examples to back this up but possibilities include:
automatic granting of access token, refresh tokens, non-secure channels, ??

Regards
Mark McGloin

Dick Hardt wrote on 29/09/2010 01:08

> I am mildly concerned that breaking the spec into multiple parts makes it
harder for the spec reader to understand what is going on. Where does a
complete example of > getting and using a token? Imagine how confusing HTTP
would be if the request and response were in separate specs.