IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of -22

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 02 November 2011 19:45 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8087111E8177 for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 12:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aweeq2VV0KV6 for <oauth@ietfa.amsl.com>; Wed, 2 Nov 2011 12:45:23 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.96]) by ietfa.amsl.com (Postfix) with ESMTP id 8968C11E8172 for <oauth@ietf.org>; Wed, 2 Nov 2011 12:45:23 -0700 (PDT)
Received: from [87.142.252.185] (helo=[192.168.71.26]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1RLgkU-0002cm-Im; Wed, 02 Nov 2011 20:45:22 +0100
Message-ID: <4EB19DD1.6050904@lodderstedt.net>
Date: Wed, 02 Nov 2011 20:45:21 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <4E971C36.7050000@cs.tcd.ie>
In-Reply-To: <4E971C36.7050000@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------070004090002090404030709"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of -22
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 19:45:24 -0000

Hi Stephen,

I'm concerned about your proposal (7) to make support for MAC a MUST for 
clients and BEARER a MAY only. In my opinion, this does not reflect the 
group's consensus. Beside this, the security threat analysis justifies 
usage of BEARER for nearly all use cases as long as HTTPS (incl. server 
authentication) can be utilized.

regards,
Torsten.


Am 13.10.2011 19:13, schrieb Stephen Farrell:
>
> Hi all,
>
> Sorry for having been quite slow with this, but I had a bunch
> of travel recently.
>
> Anyway, my AD comments on -22 are attached. I think that the
> first list has the ones that need some change before we push
> this out for IETF LC, there might or might not be something
> to change as a result of the 2nd list of questions and the
> rest are really nits can be handled either now or later.
>
> Thanks for all your work on this so far - its nearly there
> IMO and we should be able to get the IETF LC started once
> these few things are dealt with.
>
> Cheers,
> S.
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email