Re: [OAUTH-WG] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...
Phil Hunt <phil.hunt@oracle.com> Sat, 06 December 2014 16:08 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55DA1A8830; Sat, 6 Dec 2014 08:08:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLWuTas1nYn2; Sat, 6 Dec 2014 08:08:18 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 755071A1BF1; Sat, 6 Dec 2014 08:08:15 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sB6G87rW009841 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 6 Dec 2014 16:08:08 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sB6G85dW007201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 6 Dec 2014 16:08:05 GMT
Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB6G84X4016037; Sat, 6 Dec 2014 16:08:04 GMT
Received: from [192.168.1.9] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 06 Dec 2014 08:08:04 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5481E0A7.2090604@cs.tcd.ie>
Date: Sat, 06 Dec 2014 08:08:04 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <2DF4B463-DD15-42BE-85AE-121C14E19A8F@oracle.com>
References: <5481E0A7.2090604@cs.tcd.ie>
To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1993)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YB6KvR3w_y5HAvk5verAqQxhT2o
Cc: unbearable@ietf.org, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 16:08:22 -0000
On the surface (as currently presented) this work appears to duplicate the POP work going on in OAuth. The key difference is that this work is focused on using ALPN to bind tokens to the TLS channel. From a use case perspective it is very close to OAuth POP, and a specific use case of the current OAuth POP (proof of possession) architecture. I note that the OAuth WG had originally dropped TLS binding in part because TLS was not always end-to-end in cases where load-balancers where used. The identified use-cases required end-to-end proof of possession (e.g. to prevent token re-use and relaying). Never-the-less, events and approaches change and this is worth discussing (again). I think the architectural/protocol issues around the use of load balancers have to be discussed as the current ALPN proposal may be unbearable for many. Phil @independentid www.independentid.com phil.hunt@oracle.com > On Dec 5, 2014, at 8:43 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > > Following up on the presentation at IETF-91 on this topic, [1] > we've created a new list [2] for moving that along. The list > description is: > > "This list is for discussion of proposals for doing better than bearer > tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. > The specific goal is chartering a WG focused on preventing security > token export and replay attacks." > > If you're interested please join in. > > Thanks to Vinod and Andrei for agreeing to admin the list. > > We'll kick off discussion in a few days when folks have had > a chance to subscribe. > > Cheers, > S. > > PS: Please don't reply-all to this, join the new list, wait > a few days and then say what you need to say:-) > > [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf > [2] https://www.ietf.org/mailman/listinfo/unbearable > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth
- [OAUTH-WG] Fwd: [websec] unbearable - new mailing… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Phil Hunt
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Stephen Farrell
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Phil Hunt
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Stephen Farrell
- Re: [OAUTH-WG] [Unbearable] [http-auth] unbearabl… Phil Hunt