Re: [OAUTH-WG] Security Considerations - Access Tokens
William Mills <wmills@yahoo-inc.com> Mon, 31 October 2011 16:33 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7092411E80C2 for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 09:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.412
X-Spam-Level:
X-Spam-Status: No, score=-17.412 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrKQLjk7KwHs for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 09:33:19 -0700 (PDT)
Received: from nm8.bullet.mail.ac4.yahoo.com (nm8.bullet.mail.ac4.yahoo.com [98.139.52.205]) by ietfa.amsl.com (Postfix) with SMTP id 01CF221F8D9D for <oauth@ietf.org>; Mon, 31 Oct 2011 09:33:18 -0700 (PDT)
Received: from [98.139.52.193] by nm8.bullet.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
Received: from [98.139.52.152] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
Received: from [127.0.0.1] by omp1035.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 481453.84903.bm@omp1035.mail.ac4.yahoo.com
Received: (qmail 77277 invoked by uid 60001); 31 Oct 2011 16:33:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320078792; bh=y1dI4OQwq6UsuROhNrhTQ27F6H7nufD3C1waQpQdexI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=MyGqwmEEM1diCDzjE3Bwt+jW8CLBrbhAGNwKwZRw+JdIvHQFhQmkN7lPuOfp6LQ/uRurv2xiX9GK4okjrRJf3nRIW2dd040YBAem24kMCfJTGGnhDYyXMYUrHI03ECt2FZGhplUGu+zVlz+lEbBoTOHZThgWyBuLJD7/9HypKzw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=NNA+NUNJYpbJ9dwUMQv2UD4S5+DStajLoHLL7upjKaA+uizj5+1yaVXEaqQnuc2/4sjn9aS4QUN1uZkxAdhyyyEXacTfEwggAj1YJAV2qdoHmNZIG+fImxukGxeMNyfsb9Uq9MNjs0iVSkM8/gGAThRq//5CriYyIASeGSkoXus=;
X-YMail-OSG: PDl5mbcVM1m2GN0HrnQG3MB5BYnwx3W2bCuGeDjfsQmoslT 3ss4-
Received: from [209.131.62.115] by web31812.mail.mud.yahoo.com via HTTP; Mon, 31 Oct 2011 09:33:12 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.327843
References: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com> <429493818451304B84EC9A0797B5D858250823@SEAPXCH10MBX01.amer.gettywan.com>
Message-ID: <1320078792.65184.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Mon, 31 Oct 2011 09:33:12 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Dan Taflin <dan.taflin@gettyimages.com>, Marco De Nadai <denadai2@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <429493818451304B84EC9A0797B5D858250823@SEAPXCH10MBX01.amer.gettywan.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1105749320-1320078792=:65184"
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 16:33:20 -0000
Yeah, there's a punt here... I believe it's recognizing that people will in fact use bearer tokens on a plaintext channel, the slight mitigation being shorter lifespan of the token. ________________________________ From: Dan Taflin <dan.taflin@gettyimages.com> To: Marco De Nadai <denadai2@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> Sent: Monday, October 31, 2011 8:54 AM Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens To be consistent, section 10.3 should probably specify that the requirement of confidentiality in transit applies specifically to BEARER tokens. I would like to see this relaxed further though, as I argued last week, to accommodate situations where a token is scoped to a limited set of data that isn’t particularly sensitive. My example was image search. It seems too restrictive to require TLS for an operation that does nothing more than what anyone could do by pointing a browser at our web site. Http cookies can be specified as either requiring or not requiring secure transport; it seems reasonable to allow the same option for bearer tokens, which fulfill an analogous role. Dan From:Marco De Nadai [mailto:denadai2@gmail.com] Sent: Sunday, October 30, 2011 9:44 AM To: oauth@ietf.org Subject: [OAUTH-WG] Security Considerations - Access Tokens Hi all, i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment: Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage". Is it my error? -- Marco De Nadai http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Security Considerations - Access Tokens Marco De Nadai
- Re: [OAUTH-WG] Security Considerations - Access T… Dan Taflin
- Re: [OAUTH-WG] Security Considerations - Access T… Marco De Nadai
- Re: [OAUTH-WG] Security Considerations - Access T… William Mills
- Re: [OAUTH-WG] Security Considerations - Access T… Marco De Nadai
- Re: [OAUTH-WG] Security Considerations - Access T… Eran Hammer
- Re: [OAUTH-WG] Security Considerations - Access T… Torsten Lodderstedt