Re: [OAUTH-WG] OAuth 1.0a
Hannes Tschofenig <hannes.tschofenig@nsn.com> Wed, 15 August 2012 06:32 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F6F11E80AE for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.549
X-Spam-Level:
X-Spam-Status: No, score=-105.549 tagged_above=-999 required=5 tests=[AWL=-0.947, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuKpE5GUjAA4 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:32:14 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B845311E80A6 for <oauth@ietf.org>; Tue, 14 Aug 2012 23:32:12 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6W8tm012760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Aug 2012 08:32:08 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6W8Tp019767; Wed, 15 Aug 2012 08:32:08 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 15 Aug 2012 08:32:08 +0200
Received: from 10.144.250.187 ([10.144.250.187]) by FIESEXC035.nsn-intra.net ([10.159.0.182]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Wed, 15 Aug 2012 06:32:07 +0000
User-Agent: Microsoft-Entourage/12.33.0.120411
Date: Wed, 15 Aug 2012 09:32:06 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: William Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-ID: <CC511D16.8973%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] OAuth 1.0a
Thread-Index: Ac16r7BXzjYdXSyIOEqICAFEIvu9VA==
In-Reply-To: <1345011361.54744.YahooMailNeo@web31816.mail.mud.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3427867926_26679067"
X-OriginalArrivalTime: 15 Aug 2012 06:32:08.0204 (UTC) FILETIME=[B1A7C4C0:01CD7AAF]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 12317
X-purgate-ID: 151667::1345012328-00006F5F-545E10B4/0-0/0-0
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:32:15 -0000
Hi Bill, On 8/15/12 9:16 AM, "ext William Mills" <wmills_92105@yahoo.com> wrote: > Fundamentally MAC and any HoK that uses symmetric keys are equivalent. Either > can pull in the same profile of HTTP stuff into the signature. > > The issue is: a small change in the protocol specification makes the two > mechanisms incompatible. Hence, you have to provide the code for the two and a > possible negotiation mechanism along with it. For example, the fact that OAuth > 1.0 does not allow for automatic token refresh already makes the OAuth 1.0 MAC > and the OAuth 2.0 MAC different. > > I commented on your argument that MAC and Bearer have equivalent security > properties in a different thread. > > Sorry. I missed that. Do you have a pointer for me by chance? > > > Ciao > Hannes > > -bill > > > > > > > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> > To: William Mills <wmills_92105@yahoo.com> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Torsten Lodderstedt > <torsten@lodderstedt.net>; O Auth WG <oauth@ietf.org> > Sent: Tuesday, August 14, 2012 10:49 PM > Subject: Re: [OAUTH-WG] OAuth 1.0a > > > Hi Bill, > > how do you know that the outcome of the security discussions will unlikely be > different than MAC? > > The views about TLS had changed in the meanwhile (a few years ago many thought > it is too heavy and too expensive to get certificates), and we now have the > JSON work as well. On top of that we may also want to provide not just client > to server key confirmation with integrity protection of a few fields but more > than that. In a nutshell the solution has to provide better security than > bearer -- not just be different. > > Ciao > Hannes > > On Aug 14, 2012, at 10:53 PM, William Mills wrote: > >> > I want to get the SASL work done. HoK is interesting, but I've become >> convinced that it's not actually anything that needs it's own spec, you can >> do HoK with MAC or any other signed scheme by including the needed proof of >> ownership in the token. HoK, however it works out, is unlikely to vary a >> lot from the elements that would currently be needed to support MAC or 1.0a >> and if needed can just extend the SASL mechanism. >> > >> > -bill >> > >> > From: Torsten Lodderstedt <torsten@lodderstedt.net> >> > To: William Mills <wmills_92105@yahoo.com> >> > Cc: Mike Jones <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org> >> > Sent: Tuesday, August 14, 2012 12:42 PM >> > Subject: Re: [OAUTH-WG] OAuth 1.0a >> > >> > Hi Bill, >> > >> > do you need to specify this aspect of your SASL profile now? Why don't you >> wait for the group to complete the work on signing/HoK? >> > >> > You could also contribute your use cases to drive the discussion. >> > >> > best regards, >> > Torsten. >> > >> > Am 14.08.2012 21:37, schrieb William Mills: >>> >> It's for the OAUTH SASL spec. I've been writing it with the idea that >>> OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we >>> want to allow for IMAP), but several folks were saying when this all started >>> that 1.0a was dead and I should not refer to it. >>> >> >>> >> I want to make sure the SASL mechanism is build to properly handle signed >>> auth schemes and not just bearer (cookie) type. >>> >> >>> >> -bill >>> >> >>> >> From: Mike Jones <Michael.Jones@microsoft.com> >>> >> To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org> >>> >> Sent: Tuesday, August 14, 2012 12:28 PM >>> >> Subject: RE: [OAUTH-WG] OAuth 1.0a >>> >> >>> >> What problem are you trying to solve? >>> >> >>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of >>> William Mills >>> >> Sent: Tuesday, August 14, 2012 12:22 PM >>> >> To: O Auth WG >>> >> Subject: [OAUTH-WG] OAuth 1.0a >>> >> >>> >> What's the general opinion on 1.0a? Am I stepping in something if I >>> refer to it in another draft? I want to reference an auth scheme that uses >>> signing and now MAC is apparently going back to the drawing board, so I'm >>> thinking about using 1.0a. >>> >> >>> >> Thanks, >>> >> >>> >> -bill >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> OAuth mailing list >>> >> >>> >> OAuth@ietf.org >>> >> https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a Justin Richer
- Re: [OAUTH-WG] OAuth 1.0a Dick Hardt
- Re: [OAUTH-WG] OAuth 1.0a Ryan Troll
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig