IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens

John Bradley <ve7jtb@ve7jtb.com> Thu, 06 June 2013 09:22 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF41121F971F for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 02:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4AVw454fvvo for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 02:22:40 -0700 (PDT)
Received: from mail-ea0-x22a.google.com (mail-ea0-x22a.google.com [IPv6:2a00:1450:4013:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id EECEC21F8C20 for <oauth@ietf.org>; Thu, 6 Jun 2013 02:22:24 -0700 (PDT)
Received: by mail-ea0-f170.google.com with SMTP id h10so2552508eaj.1 for <oauth@ietf.org>; Thu, 06 Jun 2013 02:22:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=84axLNDSJG3wDXKT3nbvXmhbDalYdu1O0EWCeXXRr/o=; b=bCh8umZjZKUt6gGQCeDk6n++mgL0JbqOXrH652qHPiCUlfaa0ht9oZCgIdiRJQMFTO ek4B4IAtTWBDvZII4uxP0afNOwQ1dnmZdjK3qKbb7ui0mJziCOs9+Bx3wRvLwwb0xh2w eYLjDi7N9RuGKs6PC7cf/w+VmBu1MXGKvBRIZB7cQEiZ3IZlEI2fFldH++Y1neUGUiKX 8lIc+3+c4F8YZ5PFmD5Eo/Qo4g1sumsjj7halTRYwe37c57q1mqJN00fhCQGmuR3L/tr Ayp+weSxJbUDp+xT/daA4QRkN/qeMoXFpquxsY0bn5aMMwi54/q8JGdRU4M5JbJlrQMB VCdQ==
X-Received: by 10.14.198.136 with SMTP id v8mr33131722een.68.1370510542232; Thu, 06 Jun 2013 02:22:22 -0700 (PDT)
Received: from ?IPv6:2001:610:131:7000:7813:a36e:8072:bd41? ([2001:610:131:7000:7813:a36e:8072:bd41]) by mx.google.com with ESMTPSA id bo9sm90990802eeb.9.2013.06.06.02.22.20 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Jun 2013 02:22:20 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_35A8D043-E587-4892-995C-E2A1289D0D3A"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2A9F2764@USCHMBX001.nsn-intra.net>
Date: Thu, 06 Jun 2013 11:22:19 +0200
Message-Id: <92B2D90A-59A9-4EC0-93DB-7E226F3C4018@ve7jtb.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105DA5@WSMSG3153V.srv.dir.telstra.com> <CA+ZpN25_tguPtPDktm M8q=72EgnesignTuWE19wi61gCTLLL_g@mail.gmail.com> <1373E8CE237FCC43BCA36C6558612D2A9F26D0@USCHMBX001.nsn-intra.net> <919FB49B-2705-42E4-B5C3-B433C3F81C7F@ve7jtb.com> <1373E8CE237FCC43BCA36C6558612D2A9F2764@USCHMBX001.nsn-intra.net>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQn0TA9eOFdQ5hrh+JRYIzrhUOYv+Ny2mwPcrlGAAIkCIKZzaVz404q8b09CwPXdSoEdDL66
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 09:22:46 -0000

On the face of it I think adding proof of possession aught to be possible.   The hard part will be that those mechanisms assume a registered client.

I think the trick will be not crating a circular registration problem.    Adding the other token types to the RS will be simple in comparison.

John B.

On 2013-06-06, at 10:57 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:

> That’s fair, John.
>  
> Having a mandatory-to-implement mechanism in place is certainly useful. Pushing stronger security mechanisms to other specifications is also fine. It would be good to re-read the document to see whether we can actually fit the currently worked on security mechanisms into the spec at a later stage or whether there are some problems with the extensibility story.
>  
> Ciao
> Hannes
>  
> From: ext John Bradley [mailto:ve7jtb@ve7jtb.com] 
> Sent: Thursday, June 06, 2013 11:54 AM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: ext Tim Bray; Manger, James H; oauth@ietf.org
> Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
>  
> There are a couple of reasons.    
>  
> One criticism Hannes and others make of OAuth specs is they are not tightly profiled enough to be interoperable without further out of band configuration and profiling.
>  
> Making registration work with minimal ambiguity was a priority for Connect and that has carried over.
>  
> I am not opposed to having this extended at some point in the future, once we have a second token type.   The new token type should be available to do updates as well.
>  
> The problem is that starting down the HoK route potentially requires a registered client that may need to be registered to do the registration.   
> I think that is best left to another spec to sort out the possible turtles.
>  
> So the default needs to be bearer tokens unless registration is extended by another profile.
>  
> John B.
> On 2013-06-06, at 10:15 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
> 
> 
> Because bearer tokens have a stable RFC-numbered spec and are widely implemented and the registration flow as documented seems like it should work?  -T
>  
> That’s the answer for why there is support for bearer tokens but it is not the answer to why that’s the only supported mechanism.
> If we want to support stronger security mechanisms (which the group has decided to work on already) then we need to have a story on how to support the other mechanisms as well .
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email