IETF Logo Mail Archive

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

Phil Hunt <phil.hunt@oracle.com> Fri, 17 May 2013 09:57 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3057121F93E6 for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 02:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.549
X-Spam-Level:
X-Spam-Status: No, score=-5.549 tagged_above=-999 required=5 tests=[AWL=-0.347, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTGpDO+hKK3X for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 02:57:33 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id DBBA921F92C2 for <oauth@ietf.org>; Fri, 17 May 2013 02:57:32 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r4H9vTYG003548 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 May 2013 09:57:30 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4H9vU0n020231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 17 May 2013 09:57:31 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4H9vUIM020225; Fri, 17 May 2013 09:57:30 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 17 May 2013 02:57:30 -0700
References: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com> <4E1F6AAD24975D4BA5B1680429673943677327E5@TK5EX14MBXC283.redmond.corp.microsoft.com> <655FB525-6952-4517-BD4B-8ECD67F3087E@oracle.com> <4E1F6AAD24975D4BA5B168042967394367733A24@TK5EX14MBXC283.redmond.corp.microsoft.com> <A59C5E83-FADC-4621-9B43-8C9FC2CA0E65@oracle.com> <4E1F6AAD24975D4BA5B168042967394367733D51@TK5EX14MBXC283.redmond.corp.microsoft.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367733D51@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-8CBB286B-262D-4257-A6B3-2F49FAAB3C21"
Content-Transfer-Encoding: 7bit
Message-Id: <D0EBAF34-A8C1-4D5E-A92E-53E2B6AE6EC6@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 17 May 2013 02:57:29 -0700
To: Mike Jones <Michael.Jones@microsoft.com>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 09:57:38 -0000

Or, are you saying reg access token is a signed assertion echoing back the registration?

I have to think about that. Still don't see the value since there should be only one registration per client cred. 

To me the client token can also be the registration more easily with less complexity. 

Phil

Ps. Apologies just noticed I didn't reply all to group earlier. 

On 2013-05-17, at 1:16, Mike Jones <Michael.Jones@microsoft.com> wrote:

> I think you must understand something here.  The token in the registration spec *is* the token issued to the client by the registration server to represent the client's registration.
> 
> -- Mike
> 
> From: Phil Hunt
> Sent: 5/17/2013 9:53 AM
> To: Mike Jones
> Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
> 
> Well why not just use the client token?  
> 
> Phil
> 
> On 2013-05-17, at 0:19, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
>> Its not there for reasons related to expiration. It's there as an access token so the client can access and possibly update its client registration information.
>> 
>> -- Mike
>> 
>> From: Phil Hunt
>> Sent: 5/17/2013 1:02 AM
>> To: Mike Jones
>> Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
>> 
>> Sure. It isn't a new token format.  But it is yet another token with specific usage and security considerations.
>> 
>> I'm concerned about whether it makes sense to create yetanuthertoken just to handle expiry of a token whose expiry wasn't called for in the group or in the threat model (6749 or 6819).
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> 
>> 
>> 
>> 
>> On 2013-05-16, at 3:26 PM, Mike Jones wrote:
>> 
>> > This is nothing more than an RFC 6750 bearer token.  These can expire, as explained in that draft.  (The can also be issued an a manner that they don't expire.)  Nothing new is being invented in this regard.
>> > 
>> >                                -- Mike
>> > 
>> > -----Original Message-----
>> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
>> > Sent: Thursday, May 16, 2013 2:35 PM
>> > To: oauth@ietf.org WG
>> > Subject: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
>> > 
>> > All,
>> > 
>> > In the dynamic registration draft, a new token type is defined called the "registration access token". Its use is intended to facilitate clients being able to update their registration and obtain new client credentials over time.  The client credential is issued on completion of the initial registration request by a particular client instance.
>> > 
>> > It appears the need for the registration access token arises from the implied assertion that client credentials should expire. 
>> > --> Is anyone expiring client credentials?
>> > 
>> > To date, we haven't had much discussion about client credential expiry. It leads me to the following questions:
>> > 
>> > 1.  Is there technical value with client credential/token expiry?  Keep in mind that client credential is only used with the token endpoint over TLS connection. It is NOT used to access resources directly.
>> > 
>> > 2.  If yes, on what basis should client credential/token expire?
>> >  a.  Time?
>> >  b.  A change to the client software (e.g. version update)?
>> >  c.  Some other reason?
>> > 
>> > 3. Is it worth the complication to create a new token type (registration access token) just to allow clients to obtain new client tokens?  Keep in mind that client tokens are only usable with the AS token endpoint.  Why not instead use a client token for dyn reg and token endpoint with the rule that once a client token has expired (if they expire), an expired token may still be used at the registration end-point.
>> > 
>> > 4. Are there other reasons for the registration token?
>> > 
>> > Thanks,
>> > 
>> > Phil
>> > 
>> > @independentid
>> > www.independentid.com
>> > phil.hunt@oracle.com
>> > 
>> > 
>> > 
>> > 
>> > 
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email