Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 23 February 2016 15:00 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5A21B307C for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 07:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A96QbMPETWQM for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 07:00:19 -0800 (PST)
Received: from p3plsmtpa09-01.prod.phx3.secureserver.net (p3plsmtpa09-01.prod.phx3.secureserver.net [173.201.193.230]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F05401B3072 for <oauth@ietf.org>; Tue, 23 Feb 2016 07:00:18 -0800 (PST)
Received: from [192.168.0.104] ([77.77.164.50]) by p3plsmtpa09-01.prod.phx3.secureserver.net with id Mr0H1s00315ZTut01r0HDn; Tue, 23 Feb 2016 08:00:18 -0700
To: oauth@ietf.org
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <1756F20F-CE42-4523-BE8E-450762D34697@ve7jtb.com> <05af01d16d4a$20230af0$606920d0$@nri.co.jp> <0CD2EAC7-A9B6-44AC-9644-7E20E345464F@ve7jtb.com> <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Enigmail-Draft-Status: N1110
Organization: Connect2id Ltd.
Message-ID: <56CC7400.5050708@connect2id.com>
Date: Tue, 23 Feb 2016 17:00:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040908090106080407010101"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RQhnjrDjFvaALqqZx2fiP-KmIf4>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 15:00:20 -0000


On 23/02/16 07:56, William Denniss wrote:
> I also wonder if the spec could be re-titled and focus on use-case that it
> solves (supporting multiple ASes without using Connect), rather than the
> attack it mitigates. I like that the metadata draft is targeted to solve a
> particular use-case, while mitigating some attacks the process.
I find this reframing an excellent idea. Today I shared the draft with a
few client devs I know. Starting from the use case makes it easier to
decide when you need to act (as opposed to figuring out what the attack
is and then why you need to act).

Does your client need to support more than one AS? Ok, then do this ...
because -> see security considerations.


Vladimir