IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Bearer authentication - for proxies?

Amos Jeffries <squid3@treenet.co.nz> Sat, 31 December 2011 03:14 UTC

Return-Path: <squid3@treenet.co.nz>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C31221F84DD for <oauth@ietfa.amsl.com>; Fri, 30 Dec 2011 19:14:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.662
X-Spam-Level:
X-Spam-Status: No, score=-0.662 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HOST_EQ_STATIC=1.172]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EeT7p8CoW3X for <oauth@ietfa.amsl.com>; Fri, 30 Dec 2011 19:14:51 -0800 (PST)
Received: from treenet.co.nz (ip-58-28-153-233.static-xdsl.xnet.co.nz [58.28.153.233]) by ietfa.amsl.com (Postfix) with ESMTP id BA29321F84DB for <oauth@ietf.org>; Fri, 30 Dec 2011 19:14:51 -0800 (PST)
Received: from [192.168.1.3] (unknown [119.224.36.238]) by treenet.co.nz (Postfix) with ESMTP id 5C9F1E7080; Sat, 31 Dec 2011 16:14:46 +1300 (NZDT)
Message-ID: <4EFE7E22.9010200@treenet.co.nz>
Date: Sat, 31 Dec 2011 16:14:42 +1300
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org, oauth@ietf.org
References: <301AF9A4-395C-4B5A-8610-CD86BEE1401A@mnot.net> <abe2950b95b27818e9e6ebddc99a7b7e@treenet.co.nz>
In-Reply-To: <abe2950b95b27818e9e6ebddc99a7b7e@treenet.co.nz>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] OAuth Bearer authentication - for proxies?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Dec 2011 03:29:45 -0000

re-posting for cc to OAuth WG

On 25/12/2011 7:21 p.m., Amos Jeffries wrote:
> On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
>> The OAUTH WG is creating a new authentication scheme for bearer tokens:
>>   http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
>>
>
> Reading section 2.3, it appears this method of transferring the 
> credentials is open to replay attacks when caching TLS middleware is 
> present. I believe this spec should mandate cache controls on 
> responses using that method. Otherwise a lot of HTTP compliant 
> middleware will feel free to store and supply the protected response 
> to later replay attacks.
>
>
>> During review, I wondered whether this might be a suitable scheme for
>> proxies; the draft doesn't currently specify it as such, and our list
>> of considerations for new schemes asks them to consider this.
>>
>> Do any of the proxy implementers on the list have thoughts about this
>> / possible interest in it?
>>
>
> I think it would be a good idea to prepare for. Quite a few admin 
> these days consider transit to be a service that needs authenticating 
> as much as any origin server resource. It might even encourage 
> progress on the TLS proxy connection developments we have been waiting 
> for.
>
> AYJ
>
>

v2.23.0 | Report a Bug | By Email