Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 23 February 2016 15:00 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5A21B307C for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 07:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A96QbMPETWQM for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 07:00:19 -0800 (PST)
Received: from p3plsmtpa09-01.prod.phx3.secureserver.net (p3plsmtpa09-01.prod.phx3.secureserver.net [173.201.193.230]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F05401B3072 for <oauth@ietf.org>; Tue, 23 Feb 2016 07:00:18 -0800 (PST)
Received: from [192.168.0.104] ([77.77.164.50]) by p3plsmtpa09-01.prod.phx3.secureserver.net with id Mr0H1s00315ZTut01r0HDn; Tue, 23 Feb 2016 08:00:18 -0700
To: oauth@ietf.org
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <1756F20F-CE42-4523-BE8E-450762D34697@ve7jtb.com> <05af01d16d4a$20230af0$606920d0$@nri.co.jp> <0CD2EAC7-A9B6-44AC-9644-7E20E345464F@ve7jtb.com> <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Enigmail-Draft-Status: N1110
Organization: Connect2id Ltd.
Message-ID: <56CC7400.5050708@connect2id.com>
Date: Tue, 23 Feb 2016 17:00:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040908090106080407010101"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RQhnjrDjFvaALqqZx2fiP-KmIf4>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 15:00:20 -0000
On 23/02/16 07:56, William Denniss wrote: > I also wonder if the spec could be re-titled and focus on use-case that it > solves (supporting multiple ASes without using Connect), rather than the > attack it mitigates. I like that the metadata draft is targeted to solve a > particular use-case, while mitigating some attacks the process. I find this reframing an excellent idea. Today I shared the draft with a few client devs I know. Starting from the use case makes it easier to decide when you need to act (as opposed to figuring out what the attack is and then why you need to act). Does your client need to support more than one AS? Ok, then do this ... because -> see security considerations. Vladimir
- [OAUTH-WG] Fixing the Authorization Server Mix-Up… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hans Zandbelt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Phil Hunt (IDM)
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Antonio Sanso
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Daniel Fett
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] JWS Access Token concerns Antonio Sanso
- Re: [OAUTH-WG] JWS Access Token concerns Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Roland Hedberg
- Re: [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… George Fletcher
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Brian Campbell
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Donald F. Coffin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Torsten Lodderstedt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov