Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)

"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Thu, 28 October 2010 19:44 UTC

Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61C123A69B6 for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 12:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C+-wOXFC0aMm for <oauth@core3.amsl.com>; Thu, 28 Oct 2010 12:44:39 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 19F1C3A6774 for <oauth@ietf.org>; Thu, 28 Oct 2010 12:44:39 -0700 (PDT)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o9SJkUU1010473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Oct 2010 14:46:30 -0500 (CDT)
Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o9SJkU5o019844 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 28 Oct 2010 14:46:30 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.125]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Thu, 28 Oct 2010 14:46:30 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: "'Hannes Tschofenig'" <hannes.tschofenig@nsn.com>, "ext Freeman, Tim" <tim.freeman@hp.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 28 Oct 2010 14:46:30 -0500
Thread-Topic: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
Thread-Index: AQHLazd3pTJ/WW6MjUa2saVGmJKCG5NVNKoA///jsGCAAAIRoIABLvUpgACQVCA=
Message-ID: <5710F82C0E73B04FA559560098BF95B124FC20CE11@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <59DD1BA8FD3C0F4C90771C18F2B5B53A653ACE4C0B@GVW0432EXB.americas.hpqcorp.net> <C8EF3373.2679%hannes.tschofenig@nsn.com>
In-Reply-To: <C8EF3373.2679%hannes.tschofenig@nsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 19:44:40 -0000

Hanes,

>...
>There is a document in the draft repository that talks about use cases, 
>namely http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/
>But it had never gotten a lot of attention on the list. (I don't know 
>why.)

Actually, there is a good news here: We've got 13 queries on the list (in addition to some private ones) with constructive suggestions, and we are working with Torsten on incorporating all of them. In particular, the next issue of the draft will include George's use case submitted recently.

Furthermore, as WAC community is looking at OAuth, we will soon have a WAC use case (or a set of use cases).

So, I am pretty happy with the attention level: we get positive contribution while not getting disruption.

As for specific security issues, I think up to now we dealt with a different problem: Our use cases have reflected authentication requirements, but concentrated on the use scenarios (which protocol features should reflect) rather than dealing with specific threats that affecting the features. This specific work will be coming from Torsten.

I am not sure whether the use case document should delve in security detail, except for cases (such as payment) that in themselves dictate the protection level. As Igor wrote, security requirements for accessing health records are very different from those for accessing photos on Flickr.  

This is what I hope we can discuss at the meeting--formal or informal--in 10 days.
I am open to all suggestions.

Zachary


-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, October 28, 2010 7:05 AM
To: ext Freeman, Tim; oauth@ietf.org
Subject: Re: [OAUTH-WG] So back to use cases? (was RE: Call for Consensus on Document Split)

Hey Tim, 

Earlier this year we had discussions around use cases but they did not lead
to more insight. 

There is a document in the draft repository that talks about use cases,
namely 
http://datatracker.ietf.org/doc/draft-zeltsan-oauth-use-cases/
But it had never gotten a lot of attention on the list. (I don't know why.)

Efforts to reach out to the Kantara UMA group for more sophisticated uses
cases that motivate some security mechanisms have not produced anything
either. (I believe the reason was that the scenarios focused on the
user-experience aspect rather than on security differences.)

If you look at the draft that Blaine and I put together recently (see
http://datatracker.ietf.org/doc/draft-tschofenig-oauth-signature-thoughts/
) then you will notice that from a security point of view there is very
little difference between using message signing on the HTTP layer and using
TLS with respect to a certain class of security threats.

In our recommendation we actually suggest to  recommend to go for the HTTP
layer security because we are worried that ***operational*** aspects will go
wrong in deployments.

While I was convinced initially that looking at the use cases will get us
further on the security questions it actually does not.

Ciao
Hannes

PS: Btw, your feedback on the security draft would be of interest to us.


On 10/27/10 9:09 PM, "ext Freeman, Tim" <tim.freeman@hp.com> wrote:

> On the face of it, it seems that discussion of whether and how to split the
> document has derailed collection of use cases.  If we had consensus on a list
> of use cases, that would mean we have identified the problems we're trying to
> solve.  This would still allow slimy political manipulation of the process by
> manipulating the use case list, but that would be progress.  It's better to
> have a protocol that solves a politically-defined set of problems than to have
> a politically-defined protocol that solves no identified problem.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth