Re: [OAUTH-WG] Security Considerations - Access Tokens

William Mills <wmills@yahoo-inc.com> Mon, 31 October 2011 16:33 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7092411E80C2 for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 09:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.412
X-Spam-Level:
X-Spam-Status: No, score=-17.412 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrKQLjk7KwHs for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 09:33:19 -0700 (PDT)
Received: from nm8.bullet.mail.ac4.yahoo.com (nm8.bullet.mail.ac4.yahoo.com [98.139.52.205]) by ietfa.amsl.com (Postfix) with SMTP id 01CF221F8D9D for <oauth@ietf.org>; Mon, 31 Oct 2011 09:33:18 -0700 (PDT)
Received: from [98.139.52.193] by nm8.bullet.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
Received: from [98.139.52.152] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
Received: from [127.0.0.1] by omp1035.mail.ac4.yahoo.com with NNFMP; 31 Oct 2011 16:33:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 481453.84903.bm@omp1035.mail.ac4.yahoo.com
Received: (qmail 77277 invoked by uid 60001); 31 Oct 2011 16:33:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1320078792; bh=y1dI4OQwq6UsuROhNrhTQ27F6H7nufD3C1waQpQdexI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=MyGqwmEEM1diCDzjE3Bwt+jW8CLBrbhAGNwKwZRw+JdIvHQFhQmkN7lPuOfp6LQ/uRurv2xiX9GK4okjrRJf3nRIW2dd040YBAem24kMCfJTGGnhDYyXMYUrHI03ECt2FZGhplUGu+zVlz+lEbBoTOHZThgWyBuLJD7/9HypKzw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=NNA+NUNJYpbJ9dwUMQv2UD4S5+DStajLoHLL7upjKaA+uizj5+1yaVXEaqQnuc2/4sjn9aS4QUN1uZkxAdhyyyEXacTfEwggAj1YJAV2qdoHmNZIG+fImxukGxeMNyfsb9Uq9MNjs0iVSkM8/gGAThRq//5CriYyIASeGSkoXus=;
X-YMail-OSG: PDl5mbcVM1m2GN0HrnQG3MB5BYnwx3W2bCuGeDjfsQmoslT 3ss4-
Received: from [209.131.62.115] by web31812.mail.mud.yahoo.com via HTTP; Mon, 31 Oct 2011 09:33:12 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.115.327843
References: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com> <429493818451304B84EC9A0797B5D858250823@SEAPXCH10MBX01.amer.gettywan.com>
Message-ID: <1320078792.65184.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Mon, 31 Oct 2011 09:33:12 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Dan Taflin <dan.taflin@gettyimages.com>, Marco De Nadai <denadai2@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <429493818451304B84EC9A0797B5D858250823@SEAPXCH10MBX01.amer.gettywan.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1105749320-1320078792=:65184"
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 16:33:20 -0000

Yeah, there's a punt here...  I believe it's recognizing that people will in fact use bearer tokens on a plaintext channel, the slight mitigation being shorter lifespan of the token.  



________________________________
From: Dan Taflin <dan.taflin@gettyimages.com>
To: Marco De Nadai <denadai2@gmail.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Monday, October 31, 2011 8:54 AM
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens


 
To be consistent, section 10.3 should probably specify that the requirement of confidentiality in transit applies specifically to BEARER tokens.
 
I would like to see this relaxed further though, as I argued last week, to accommodate situations where a token is scoped to a limited set of data that isn’t particularly sensitive. My example was image search. It seems too restrictive to require TLS for an operation that does nothing more than what anyone could do by pointing a browser at our web site. Http cookies can be specified as either requiring or not requiring secure transport; it seems reasonable to allow the same option for bearer tokens, which fulfill an analogous role.
 
Dan
 
From:Marco De Nadai [mailto:denadai2@gmail.com] 
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens
 
Hi all,
 
i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment: 
 
Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.
 
BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage".
 
Is it my error?
 
-- 
Marco De Nadai
http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth