Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

Amos Jeffries <squid3@treenet.co.nz> Tue, 24 April 2012 05:13 UTC

Return-Path: <squid3@treenet.co.nz>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9CA21F864A for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 22:13:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[AWL=-4.826, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HOST_EQ_STATIC=1.172]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KagQXoiZXcZI for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 22:13:13 -0700 (PDT)
Received: from treenet.co.nz (ip-58-28-153-233.static-xdsl.xnet.co.nz [58.28.153.233]) by ietfa.amsl.com (Postfix) with ESMTP id 7FFD221F85FF for <oauth@ietf.org>; Mon, 23 Apr 2012 22:13:10 -0700 (PDT)
Received: from [10.1.1.14] (unknown [119.224.40.49]) by treenet.co.nz (Postfix) with ESMTP id 071F4E6E76; Tue, 24 Apr 2012 17:13:07 +1200 (NZST)
Message-ID: <4F963662.3050707@treenet.co.nz>
Date: Tue, 24 Apr 2012 17:13:06 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <20120424014600.2289.60899.idtracker@ietfa.amsl.com> <5ad1b8b31aa38e4c0ab3c8012a1b8290@treenet.co.nz> <4E1F6AAD24975D4BA5B16804296739436649663E@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436649663E@TK5EX14MBXC284.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 05:13:13 -0000

On 24/04/2012 4:33 p.m., Mike Jones wrote:
> What specific language would you suggest be added to what section(s)?
>
> 				-- Mike


Perhapse the last paragraph appended:
"

    Because of the security weaknesses associated with the URI method
    (see Section 5), including the high likelihood that the URL
    containing the access token will be logged, it SHOULD NOT be used
    unless it is impossible to transport the access token in the
    "Authorization" request header field or the HTTP request entity-body.
    Resource servers compliant with this specification MAY support this
    method.

    Clients requesting URL containing the access token MUST also send a
    Cache-Control header containing the "no-store" option. Server success
    (2xx status) responses to these requests MUST contain a Cache-Control
    header with the "private" option.

"

I'm a little suspicious that the "SHOUDL NOT" in that top paragraph likely should be a MUST NOT to further discourage needless use.


AYJ


>
> -----Original Message-----
> From: oauth-bounces@ietf.org On Behalf Of Amos Jeffries
> Sent: Monday, April 23, 2012 7:10 PM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
>
> On 24.04.2012 13:46, internet-drafts@ietf.org wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. This draft is a work item of the Web Authorization
>> Protocol Working Group of the IETF.
>>
>> 	Title           : The OAuth 2.0 Authorization Protocol: Bearer
>> Tokens
>> 	Author(s)       : Michael B. Jones
>>                            Dick Hardt
>>                            David Recordon
>> 	Filename        : draft-ietf-oauth-v2-bearer-19.txt
>> 	Pages           : 24
>> 	Date            : 2012-04-23
>>
>>     This specification describes how to use bearer tokens in HTTP
>>     requests to access OAuth 2.0 protected resources.  Any party in
>>     possession of a bearer token (a "bearer") can use it to get access
>> to
>>     the associated resources (without demonstrating possession of a
>>     cryptographic key).  To prevent misuse, bearer tokens need to be
>>     protected from disclosure in storage and in transport.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt
>
>
> The section 2.3 (URL Query Parameter) text is still lacking explicit and specific security requirements. The overarching TLS requirement is good in general, but insufficient in the presence of HTTP intermediaries on the TLS connection path as is becoming a common practice.
>
> The upcoming HTTPbis specs document this issue as a requirement for new auth schemes such as Bearer:
>
> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
> "
>         Therefore, new authentication schemes which choose not to carry
>         credentials in the Authorization header (e.g., using a newly
>         defined header) will need to explicitly disallow caching, by
>         mandating the use of either Cache-Control request directives
>         (e.g., "no-store") or response directives (e.g., "private").
> "
>
>
> AYJ
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>