Re: [OAUTH-WG] OAuth Security Discussions
zhou.sujing@zte.com.cn Wed, 19 September 2012 06:36 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FB911E80BA; Tue, 18 Sep 2012 23:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.393
X-Spam-Level:
X-Spam-Status: No, score=-97.393 tagged_above=-999 required=5 tests=[AWL=0.002, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_BACKHAIR_22=1, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JleHRNMp1vFp; Tue, 18 Sep 2012 23:36:43 -0700 (PDT)
Received: from mx5.zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id B4C7211E80A5; Tue, 18 Sep 2012 23:36:42 -0700 (PDT)
Received: from [192.168.168.119] by mx5.zte.com.cn with surfront esmtp id 10723609479330; Wed, 19 Sep 2012 14:16:32 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 9D55B71953F; Wed, 19 Sep 2012 14:32:55 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q8J6aPnK077390; Wed, 19 Sep 2012 14:36:25 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <50574E12.6060400@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OFD89C737F.015D9043-ON48257A7E.0022E0EE-48257A7E.00245CF0@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Wed, 19 Sep 2012 14:36:19 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2012-09-19 14:36:23, Serialize complete at 2012-09-19 14:36:23
Content-Type: multipart/alternative; boundary="=_alternative 00245CEE48257A7E_="
X-MAIL: mse02.zte.com.cn q8J6aPnK077390
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Security Discussions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2012 06:36:44 -0000
Hi, Hannes, draft-hardjono-oauth-umacore-04 is on interaction between AS and RS utilizing OAuth; Ping's "OAuth Authorization Server Verification Interface" is on RS requesting AS to verify access token for it because RS could not do it itself. They are not on sharing long lived keys between AS and RS which may be used in calculating and verifying access token. Ping's draft is an alternative solution for verifying access token produced by knowledge of a key , e.g., MAC, without sharing the keys between AS and RS. It may be seen as a conter-example to “a complete key distribution protocol has to be defined.” Hannes Tschofenig <hannes.tschofenig@gmx.net> 写于 2012-09-18 00:21:38: > Good point, Justin. I was thinking a bit too narrowly here. > > On 09/17/2012 05:13 PM, Justin Richer wrote: > > On 09/17/2012 08:11 AM, Hannes Tschofenig wrote: > >>> Since it is prefered to have long lived key shared between AS and RS in > >>> this WG, > >>> Is there any consideration for this key distribution and its security > >>> requirements? > >> So far we have had only discussions regarding the standardization of the > >> AS<->RS server interaction in the context of the UMA work. > >> > >> You may want to have a look at > >> http://tools.ietf.org/html/draft-hardjono-oauth-umacore > >> > > Not quite true. There's also the token introspection, like Ping has > > published[1] or what AOL or MITRE have both implemented. You also have > > to account for those using structured tokens (like JWTs) with signatures > > to communicate using the token itself, analogous to SAML assertions. > > > > When we brought it up during the re-chartering discussion, there seemed > > to be a number of folks willing to work on publishing something in this > > area. > > > > -- Justin > > > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > >
- [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- [OAUTH-WG] some comments Re: OAuth Security Discu… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Justin Richer
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions John Bradley
- [OAUTH-WG] 答复: Re: some comments Re: OAuth Securi… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing