Re: [OAUTH-WG] Mandatory-to-implement token type

Mike Jones <Michael.Jones@microsoft.com> Sun, 04 December 2011 14:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7B921F8532 for <oauth@ietfa.amsl.com>; Sun, 4 Dec 2011 06:21:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTuG0BOyXLAk for <oauth@ietfa.amsl.com>; Sun, 4 Dec 2011 06:21:30 -0800 (PST)
Received: from TX2EHSOBE009.bigfish.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 45FCC21F8538 for <oauth@ietf.org>; Sun, 4 Dec 2011 06:21:30 -0800 (PST)
Received: from mail109-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE009.bigfish.com (10.9.40.29) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 14:21:30 +0000
Received: from mail109-tx2 (localhost [127.0.0.1]) by mail109-tx2-R.bigfish.com (Postfix) with ESMTP id BA20B4C01E5; Sun, 4 Dec 2011 14:21:29 +0000 (UTC)
X-SpamScore: -50
X-BigFish: VS-50(zzbb2dK9371K542Mdf9M1432N1418M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail109-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail109-tx2 (localhost.localdomain [127.0.0.1]) by mail109-tx2 (MessageSwitch) id 1323008489231198_17935; Sun, 4 Dec 2011 14:21:29 +0000 (UTC)
Received: from TX2EHSMHS004.bigfish.com (unknown [10.9.14.238]) by mail109-tx2.bigfish.com (Postfix) with ESMTP id 31B9E640044; Sun, 4 Dec 2011 14:21:29 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS004.bigfish.com (10.9.99.104) with Microsoft SMTP Server (TLS) id 14.1.225.22; Sun, 4 Dec 2011 14:21:28 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Sun, 4 Dec 2011 06:21:24 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Paul Madsen <paul.madsen@gmail.com>
Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type
Thread-Index: AQHMpQLwA9RtSm1QTkeczilud+gNJJXIYlkAgAABeQCAABrqAIAAXtcAgAJmEwCAAQYDAIAAEiiA//96DYA=
Date: Sun, 04 Dec 2011 14:21:24 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F757A6B@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com> <CAH-8B6sjim_tcBkTPFWc1SnjhtHDQTR7sVT+aOjnYv7cs8JssA@mail.gmail.com> <4ED82D62.3070800@cs.tcd.ie> <CALaySJLKYLpPWc14_GUJKc5j1E3QovKQOx9HsdR-n2YV7kstpQ@mail.gmail.com> <4ED89384.9060603@cs.tcd.ie> <CAC4RtVBQdV+dwhzK903nkeNhsKzrHNFPYMK+EZtxRXnHWGs68w@mail.gmail.com> <4EDB726E.2060900@gmail.com> <4EDB81A9.5090007@cs.tcd.ie>
In-Reply-To: <4EDB81A9.5090007@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2011 14:21:31 -0000

The core spec should be completely silent on MAC, as it is not ready for prime time.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell
Sent: Sunday, December 04, 2011 6:20 AM
To: Paul Madsen
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type


FWIW, if Barry's suggested text was amended to say "MUST do bearer, MAY do mac" I'd still be ok with that.

Much as I'd like if the mac scheme were more popular, my comment on -22 was interop and not really security related.

S

On 12/04/2011 01:15 PM, Paul Madsen wrote:
> Commercial OAuth authorization servers are neither 'toolkits' nor 
> 'purpose built code' - not used to build OAuth clients/servers but yet 
> required to support more variety in deployments than a single purpose 
> built server.
>
> But, that variety is driven by customer demand, and none of ours 
> (yet?) have demanded MAC. If and when that demand comes, we will add support.
>
> To stipulate MAC as MTI would in no way reflect what the market wants.
> And 'interop' nobody wants is not meaningful interop.
>
> paul
>
> On 12/3/11 4:37 PM, Barry Leiba wrote:
>> Stephen says:
>>> On 12/02/2011 03:20 AM, Barry Leiba wrote:
>>>> Maybe what would work best is some text that suggests what I say
>>>> above: that toolkits intended for use in implementing OAuth 
>>>> services in general... implement [X and/or Y], and that code 
>>>> written for a specific environment implement what makes sense for that environment.
>>>> It seems to me that to require any particular implementation in the 
>>>> latter case is arbitrary and counter-productive, and doesn't help 
>>>> anything interoperate. Whereas general-purpose toolkits that 
>>>> implement everything DO help interop.
>>> That'd work just fine for me.
>> OK, so here's what I suggest... I propose adding a new section 7.2, thus:
>>
>> -----------------------------------
>> 7.2 Access Token Implementation Considerations
>>
>> Access token types have to be mutually understood among the 
>> authorization server, the resource server, and the client -- the 
>> access token issues the token, the resource server validates it, and 
>> the client is required to understand the type, as noted in section 
>> 7.1, above. Because of that, interoperability of program code 
>> developed separately depends upon the token types that are supported 
>> in the code.
>>
>> Toolkits that are intended for general use (for building other 
>> clients and/or servers), therefore, SHOULD implement as many token 
>> types as practical, to ensure that programs developed with those 
>> toolkits are able to use the token types they need. In particular, 
>> all general-use toolkits MUST implement bearer tokens [...ref...] and 
>> MAC tokens [...ref...].
>>
>> Purpose-built code, built without such toolkits, has somewhat more 
>> flexibility, as its developers know the specific environment they're 
>> developing for. There's clearly little point to including code to 
>> support a particular token type when it's known in advance that the 
>> type in question will never be used in the intended deployment.
>> Developers of purpose-built code are encouraged to consider future 
>> extensions and to plan ahead for changes in circumstances, and might 
>> still want to include support for multiple token types. That said, 
>> the choice of token-type support for such purpose-built code is left 
>> to the developers and their specific requirements.
>> -----------------------------------
>>
>> I think that expresses a reasonable compromise that might actually be 
>> followed and might actually do some good. Comments? Can we go with 
>> this and close this issue? (And, sorry, I've been a Bad Chair, and 
>> haven't put this in the tracker.)
>>
>> Barry
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth