Re: [OAUTH-WG] Secure Client Token Storage
Joseph A Holsten <joseph@josephholsten.com> Wed, 18 November 2009 08:33 UTC
Return-Path: <josephholsten@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 168CD3A68B8 for <oauth@core3.amsl.com>; Wed, 18 Nov 2009 00:33:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIV1SS51+3Wx for <oauth@core3.amsl.com>; Wed, 18 Nov 2009 00:33:32 -0800 (PST)
Received: from mail-yw0-f183.google.com (mail-yw0-f183.google.com [209.85.211.183]) by core3.amsl.com (Postfix) with ESMTP id 148883A67EC for <oauth@ietf.org>; Wed, 18 Nov 2009 00:33:31 -0800 (PST)
Received: by ywh13 with SMTP id 13so1270565ywh.29 for <oauth@ietf.org>; Wed, 18 Nov 2009 00:33:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=1IN+OGTr6scGldxukjZ6MpWSitibUzaMzpiPO8XhKlY=; b=EdOI80bYXyUZn+udMV8GhxWgVi4cZM7H/GCEWBQjayEj2Ziqha33n/pz1WyGHGBJ6Q IS71lZ66SOgK4sf7SCqsUTsbbyc45T/IFTk9grC0/Kswxt6NRNwR47EFc+m5mAuAOf8Z 4JIGPsZM5ndgKLWnIyXaSPBsJwSEWAw+SWhnc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=O8BHIqU2E+bmtf5j0fZkig8S9EhA2alNXk+05i6aRBP+rzjdtS8AaIz7OKDnZGcNJ1 obFjVE5NI1icWT33iUfDCJ9S2piQFYchM8bO0zvTPzitxXFP/fxMsKa+kp6A+0K1Gzez YD6OdVEsBlOAQCxfQdbLN/u/0+8h61PFq1Mi8=
Received: by 10.90.40.37 with SMTP id n37mr1699966agn.74.1258533207345; Wed, 18 Nov 2009 00:33:27 -0800 (PST)
Received: from ?192.168.1.102? (ip70-189-108-199.ok.ok.cox.net [70.189.108.199]) by mx.google.com with ESMTPS id 39sm167381yxd.63.2009.11.18.00.33.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 18 Nov 2009 00:33:25 -0800 (PST)
Sender: Joseph Holsten <josephholsten@gmail.com>
Message-Id: <BA2CB317-7663-4CDF-B9AF-1A60E1680C55@josephholsten.com>
From: Joseph A Holsten <joseph@josephholsten.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <C728C11D.29773%eran@hueniverse.com>
Content-Type: text/plain; charset="WINDOWS-1252"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 18 Nov 2009 02:33:22 -0600
References: <C728C11D.29773%eran@hueniverse.com>
X-Mailer: Apple Mail (2.936)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Secure Client Token Storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 08:33:33 -0000
I'm comfortable leaving it implicit if you are. It seems obvious to me, I just never know if it's obvious to everyone else who might implement. -- j Eran Hammer-Lahav supposedly wrote: > Would you like to propose text? > > I think this is application specific. Isn’t calling it a token > *secret* enough? :-) > > EHL > > > On 11/17/09 7:52 PM, "Joseph A Holsten" <joseph@josephholsten.com> > wrote: > > If browsers start having OAuth support, they're definitely going to > need a secure store for those OAuth tokens, so my malicious app > doesn't just dig through your Firefox config for access to tokens. > > This doesn't seem to be mentioned in draft-hammer-oauth-05, §4.7 is > server specific, and §4.8 only recommends to hide the client > credentials. Should the spec add a section recommending clients store > access tokens in secure storage? > -- > Joseph Holsten > http://josephholsten.com > mailto:joseph@josephholsten.com > tel:+1-918-948-6747
- [OAUTH-WG] Secure Client Token Storage Joseph A Holsten
- Re: [OAUTH-WG] Secure Client Token Storage Joseph A Holsten
- Re: [OAUTH-WG] Secure Client Token Storage Eran Hammer-Lahav