IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

Evan Gilbert <uidude@google.com> Thu, 15 July 2010 06:04 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDE403A67AE for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 23:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.376
X-Spam-Level:
X-Spam-Status: No, score=-104.376 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_63=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JBmV0ybLpE95 for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 23:04:38 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 192713A681A for <oauth@ietf.org>; Wed, 14 Jul 2010 23:04:38 -0700 (PDT)
Received: from kpbe15.cbf.corp.google.com (kpbe15.cbf.corp.google.com [172.25.105.79]) by smtp-out.google.com with ESMTP id o6F64lvL012513 for <oauth@ietf.org>; Wed, 14 Jul 2010 23:04:47 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1279173888; bh=T9ZiSvJ5Ehp3f34WXFDnmZGPu3o=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=PF3WsF2yOb83f8FZhHBp4xO7teLAOrgni1TEktWovRn39p2kHvYOzapk9d6m4QUMi nhMfSgWQdrfZ87GsVRoMg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=pKiDm98ne2R3Kknays+iSPDM+YNZ6lcuNXsEvqXTZj9RuI+0m1h5uln9CDuzZYgxW ljOAfTQuVSeLXnIC3wgNw==
Received: from qyk1 (qyk1.prod.google.com [10.241.83.129]) by kpbe15.cbf.corp.google.com with ESMTP id o6F64kYi005263 for <oauth@ietf.org>; Wed, 14 Jul 2010 23:04:46 -0700
Received: by qyk1 with SMTP id 1so2784340qyk.3 for <oauth@ietf.org>; Wed, 14 Jul 2010 23:04:46 -0700 (PDT)
Received: by 10.224.113.85 with SMTP id z21mr509310qap.214.1279173886203; Wed, 14 Jul 2010 23:04:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.93.12 with HTTP; Wed, 14 Jul 2010 23:04:26 -0700 (PDT)
In-Reply-To: <C862460C.37210%eran@hueniverse.com>
References: <5710F82C0E73B04FA559560098BF95B124F9688DC4@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <C862460C.37210%eran@hueniverse.com>
From: Evan Gilbert <uidude@google.com>
Date: Wed, 14 Jul 2010 23:04:26 -0700
Message-ID: <AANLkTi=PUkqOU0Mtyewby4AHFTXbvBznfh1h9c0=nFSt@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="000feaead82317d7b1048b66e113"
X-System-Of-Record: true
Cc: Zachary Zeltsan <zachary.zeltsan@alcatel-lucent.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 06:04:40 -0000

"Password" doesn't seem to be the right analogy. You don't (or really
shouldn't) store passwords in plain text or in cookies.

How about "cookies"? Most web developers understand that cookies are used as
a token that grants access to resources. We've also called these tokens"API
cookies" when trying to describe them internally.


On Tue, Jul 13, 2010 at 4:34 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

>  I’m only using 2828 definition of capability, not password.
>
> EHL
>
>
>
> On 7/13/10 3:20 PM, "Zachary Zeltsan" <zachary.zeltsan@alcatel-lucent.com>
> wrote:
>
> According to the RFC 2828 an access token is rather a capability than a
> password. The passwords are usually associated with the matching
> identifiers, but an access token of OAuth 2.0 is used as a single credential
> that allows access to a protected resource.
>
> From RFC 2828:
> $ password
>
>       (C) A password is usually matched with a user identifier that is
>       explicitly presented in the authentication process, but in some
>       cases the identity may be implicit.
>
> Zachary
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org<oauth-bounces@ietf.org>]
> On Behalf Of Brian Eaton
> Sent: Tuesday, July 13, 2010 4:43 PM
> To: Faynberg, Igor (Igor)
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] "shared symmetric secret"
>
> On Tue, Jul 13, 2010 at 1:40 PM, Igor Faynberg
> <igor.faynberg@alcatel-lucent.com> wrote:
> > In this case, the term "capability" MUST be defined up front. The word
> > "capability" seems to carry a much broader meaning than password...
>
> It has a standard definition we can reference.  From
> http://www.ietf.org/rfc/rfc2828.txt
>
>    $ capability
>       (I) A token, usually an unforgeable data value (sometimes called a
>       "ticket") that gives the bearer or holder the right to access a
>       system resource. Possession of the token is accepted by a system
>       as proof that the holder has been authorized to access the
>       resource named or indicated by the token. (See: access control
>       list, credential, digital certificate.)
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.40.3 | Report a Bug | By Email | System Status