IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 1.0a

Hannes Tschofenig <hannes.tschofenig@nsn.com> Wed, 15 August 2012 06:32 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24F6F11E80AE for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.549
X-Spam-Level:
X-Spam-Status: No, score=-105.549 tagged_above=-999 required=5 tests=[AWL=-0.947, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuKpE5GUjAA4 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:32:14 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B845311E80A6 for <oauth@ietf.org>; Tue, 14 Aug 2012 23:32:12 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6W8tm012760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Aug 2012 08:32:08 +0200
Received: from demuexc023.nsn-intra.net (demuexc023.nsn-intra.net [10.150.128.36]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q7F6W8Tp019767; Wed, 15 Aug 2012 08:32:08 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 15 Aug 2012 08:32:08 +0200
Received: from 10.144.250.187 ([10.144.250.187]) by FIESEXC035.nsn-intra.net ([10.159.0.182]) via Exchange Front-End Server webmail.nsn-intra.net ([10.150.128.36]) with Microsoft Exchange Server HTTP-DAV ; Wed, 15 Aug 2012 06:32:07 +0000
User-Agent: Microsoft-Entourage/12.33.0.120411
Date: Wed, 15 Aug 2012 09:32:06 +0300
From: Hannes Tschofenig <hannes.tschofenig@nsn.com>
To: William Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-ID: <CC511D16.8973%hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] OAuth 1.0a
Thread-Index: Ac16r7BXzjYdXSyIOEqICAFEIvu9VA==
In-Reply-To: <1345011361.54744.YahooMailNeo@web31816.mail.mud.yahoo.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3427867926_26679067"
X-OriginalArrivalTime: 15 Aug 2012 06:32:08.0204 (UTC) FILETIME=[B1A7C4C0:01CD7AAF]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 12317
X-purgate-ID: 151667::1345012328-00006F5F-545E10B4/0-0/0-0
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:32:15 -0000

Hi Bill, 


On 8/15/12 9:16 AM, "ext William Mills" <wmills_92105@yahoo.com> wrote:

> Fundamentally MAC and any HoK that uses symmetric keys are equivalent.  Either
> can pull in the same profile of HTTP stuff into the signature.
> 
> The issue is: a small change in the protocol specification makes the two
> mechanisms incompatible. Hence, you have to provide the code for the two and a
> possible negotiation mechanism along with it. For example, the fact that OAuth
> 1.0 does not allow for automatic token refresh already makes the OAuth 1.0 MAC
> and the OAuth 2.0 MAC different.
> 
> I commented on your argument that MAC and Bearer have equivalent security
> properties in a different thread.
> 
> Sorry. I missed that. Do you have a pointer for me by chance?
> 
> 
> Ciao
> Hannes
> 
> -bill
> 
>   
>  
>  
>   
> 
>   From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
>  To: William Mills <wmills_92105@yahoo.com>
> Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Torsten Lodderstedt
> <torsten@lodderstedt.net>; O Auth WG <oauth@ietf.org>
>  Sent: Tuesday, August 14, 2012 10:49 PM
>  Subject: Re: [OAUTH-WG] OAuth 1.0a
>   
>  
> Hi Bill, 
> 
> how do you know that the outcome of the security discussions will unlikely be
> different than MAC?
> 
> The views about TLS had changed in the meanwhile (a few years ago many thought
> it is too heavy and too expensive to get certificates), and we now have the
> JSON work as well. On top of that we may also want to provide not just client
> to server key confirmation with integrity protection of a few fields but more
> than that. In a nutshell the solution has to provide better security than
> bearer -- not just be different.
> 
> Ciao
> Hannes
> 
> On Aug 14, 2012, at 10:53 PM, William Mills wrote:
> 
>> > I want to get the SASL work done.   HoK is interesting, but I've become
>> convinced that it's not actually anything that needs it's own spec, you can
>> do HoK with MAC or any other signed scheme by including the needed proof of
>> ownership in the token.   HoK, however it works out, is unlikely to vary a
>> lot from the elements that would currently be needed to support MAC or 1.0a
>> and if needed can just extend the SASL mechanism.
>> > 
>> > -bill
>> > 
>> > From: Torsten Lodderstedt <torsten@lodderstedt.net>
>> > To: William Mills <wmills_92105@yahoo.com>
>> > Cc: Mike Jones <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org>
>> > Sent: Tuesday, August 14, 2012 12:42 PM
>> > Subject: Re: [OAUTH-WG] OAuth 1.0a
>> > 
>> > Hi Bill,
>> > 
>> > do you need to specify this aspect of your SASL profile now? Why don't you
>> wait for the group to complete the work on signing/HoK?
>> > 
>> > You could also contribute your use cases to drive the discussion.
>> > 
>> > best regards,
>> > Torsten.
>> > 
>> > Am 14.08.2012 21:37, schrieb William Mills:
>>> >> It's for the OAUTH SASL spec.  I've been writing it with the idea that
>>> OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we
>>> want to allow for IMAP), but several folks were saying when this all started
>>> that 1.0a was dead and I should not refer to it.
>>> >> 
>>> >> I want to make sure the SASL mechanism is build to properly handle signed
>>> auth schemes and not just bearer (cookie) type.
>>> >> 
>>> >> -bill
>>> >> 
>>> >> From: Mike Jones <Michael.Jones@microsoft.com>
>>> >> To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org>
>>> >> Sent: Tuesday, August 14, 2012 12:28 PM
>>> >> Subject: RE: [OAUTH-WG] OAuth 1.0a
>>> >> 
>>> >> What problem are you trying to solve?
>>> >>  
>>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
>>> William Mills
>>> >> Sent: Tuesday, August 14, 2012 12:22 PM
>>> >> To: O Auth WG
>>> >> Subject: [OAUTH-WG] OAuth 1.0a
>>> >>  
>>> >> What's the general opinion on 1.0a?  Am I stepping in something if I
>>> refer to it in another draft?  I want to reference an auth scheme that uses
>>> signing and now MAC is apparently going back to the drawing board, so I'm
>>> thinking about using 1.0a.
>>> >>  
>>> >> Thanks,
>>> >>  
>>> >> -bill
>>> >> 
>>> >> 
>>> >> 
>>> >> 
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> 
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>> > 
>> > 
>> > 
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
>  
>  
>   
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email