IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 1.0a

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 15 August 2012 05:49 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CAA21F865C for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 22:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.311
X-Spam-Level:
X-Spam-Status: No, score=-102.311 tagged_above=-999 required=5 tests=[AWL=-0.312, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvogKzJtmtMp for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 22:49:05 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id CD28021F8650 for <oauth@ietf.org>; Tue, 14 Aug 2012 22:49:04 -0700 (PDT)
Received: (qmail invoked by alias); 15 Aug 2012 05:49:03 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.105]) [88.115.216.191] by mail.gmx.net (mp016) with SMTP; 15 Aug 2012 07:49:03 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19/zZUauvt/EayQxP/4/P4K3hRbu+VOU20KHBPv9E Tl3ZUtUiXkIicd
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <1344974023.98979.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Wed, 15 Aug 2012 08:49:03 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <BCB8CADF-1B00-4388-85BA-3499953C9182@gmx.net>
References: <1344972117.60342.YahooMailNeo@web31802.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B168042967394366777A7F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1344973056.51964.YahooMailNeo@web31812.mail.mud.yahoo.com> <502AAA2D.1050404@lodderstedt.net> <1344974023.98979.YahooMailNeo@web31804.mail.mud.yahoo.com>
To: William Mills <wmills_92105@yahoo.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 05:49:05 -0000

Hi Bill, 

how do you know that the outcome of the security discussions will unlikely be different than MAC?

The views about TLS had changed in the meanwhile (a few years ago many thought it is too heavy and too expensive to get certificates), and we now have the JSON work as well. On top of that we may also want to provide not just client to server key confirmation with integrity protection of a few fields but more than that. In a nutshell the solution has to provide better security than bearer -- not just be different. 

Ciao
Hannes

On Aug 14, 2012, at 10:53 PM, William Mills wrote:

> I want to get the SASL work done.   HoK is interesting, but I've become convinced that it's not actually anything that needs it's own spec, you can do HoK with MAC or any other signed scheme by including the needed proof of ownership in the token.   HoK, however it works out, is unlikely to vary a lot from the elements that would currently be needed to support MAC or 1.0a and if needed can just extend the SASL mechanism.
> 
> -bill
> 
> From: Torsten Lodderstedt <torsten@lodderstedt.net>
> To: William Mills <wmills_92105@yahoo.com> 
> Cc: Mike Jones <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org> 
> Sent: Tuesday, August 14, 2012 12:42 PM
> Subject: Re: [OAUTH-WG] OAuth 1.0a
> 
> Hi Bill,
> 
> do you need to specify this aspect of your SASL profile now? Why don't you wait for the group to complete the work on signing/HoK? 
> 
> You could also contribute your use cases to drive the discussion.
> 
> best regards,
> Torsten.
> 
> Am 14.08.2012 21:37, schrieb William Mills:
>> It's for the OAUTH SASL spec.  I've been writing it with the idea that OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we want to allow for IMAP), but several folks were saying when this all started that 1.0a was dead and I should not refer to it.
>> 
>> I want to make sure the SASL mechanism is build to properly handle signed auth schemes and not just bearer (cookie) type.  
>> 
>> -bill
>> 
>> From: Mike Jones <Michael.Jones@microsoft.com>
>> To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org> 
>> Sent: Tuesday, August 14, 2012 12:28 PM
>> Subject: RE: [OAUTH-WG] OAuth 1.0a
>> 
>> What problem are you trying to solve?
>>  
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills
>> Sent: Tuesday, August 14, 2012 12:22 PM
>> To: O Auth WG
>> Subject: [OAUTH-WG] OAuth 1.0a
>>  
>> What's the general opinion on 1.0a?  Am I stepping in something if I refer to it in another draft?  I want to reference an auth scheme that uses signing and now MAC is apparently going back to the drawing board, so I'm thinking about using 1.0a.
>>  
>> Thanks,
>>  
>> -bill
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> 
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email