IETF Logo Mail Archive

Re: [OAUTH-WG] treatment of client_id for authentication and identification

"Lu, Hui-Lan (Huilan)" <huilan.lu@alcatel-lucent.com> Thu, 18 August 2011 22:13 UTC

Return-Path: <huilan.lu@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 340F321F8876 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 15:13:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.339
X-Spam-Level:
X-Spam-Status: No, score=-6.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XeeDnG6cfUs for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 15:13:18 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 918C821F8713 for <oauth@ietf.org>; Thu, 18 Aug 2011 15:13:18 -0700 (PDT)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id p7IMDfdt006380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Aug 2011 17:13:59 -0500 (CDT)
Received: from USNAVSXCHHUB02.ndc.alcatel-lucent.com (usnavsxchhub02.ndc.alcatel-lucent.com [135.3.39.111]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p7IMDeh5028342 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 18 Aug 2011 17:13:40 -0500
Received: from USNAVSXCHMBSB3.ndc.alcatel-lucent.com ([135.3.39.135]) by USNAVSXCHHUB02.ndc.alcatel-lucent.com ([135.3.39.111]) with mapi; Thu, 18 Aug 2011 17:13:40 -0500
From: "Lu, Hui-Lan (Huilan)" <huilan.lu@alcatel-lucent.com>
To: "Lu, Hui-Lan (Huilan)" <huilan.lu@alcatel-lucent.com>, 'Eran Hammer-Lahav' <eran@hueniverse.com>, Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 18 Aug 2011 17:13:40 -0500
Thread-Topic: [OAUTH-WG] treatment of client_id for authentication and identification
Thread-Index: AcxNWiAmwaoXWhpRRLSIm3Z69CEQXANudKkQALSSvmAAAWgcIAABDUFQAADlC2A=
Message-ID: <0E96A74B7DFCF844A9BE2A0BBE2C425F058F244275@USNAVSXCHMBSB3.ndc.alcatel-lucent.com>
References: <4E317125.7080006@lodderstedt.net> <CA56CA21.1758B%eran@hueniverse.com> <CA+k3eCTguAGGC1xGuuA0Z2sRu7MNCdtsUnb-3V9vmz4CFwxBYw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDD9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <0E96A74B7DFCF844A9BE2A0BBE2C425F058F244272@USNAVSXCHMBSB3.ndc.alcatel-lucent.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAB5D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <0E96A74B7DFCF844A9BE2A0BBE2C425F058F244274@USNAVSXCHMBSB3.ndc.alcatel-lucent.com>
In-Reply-To: <0E96A74B7DFCF844A9BE2A0BBE2C425F058F244274@USNAVSXCHMBSB3.ndc.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 22:13:19 -0000

I just noticed that some words were missing in my previous post. Here is the full text that Eran requested:

Allowing unauthenticated access to the token endpoint by public clients has security ramifications. So does
issuing refresh tokens to public clients. Such security ramifications MUST be considered. See section 10 for further details.

Huilan


> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Lu,
> Hui-Lan (Huilan)
> Sent: Thursday, August 18, 2011 5:47 PM
> To: 'Eran Hammer-Lahav'; Brian Campbell
> Cc: oauth
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
> 
> > > It is difficult to parse the last sentence of 3.2.1: "The security ramifications of
> > > allowing unauthenticated access by public clients to the token endpoint
> > > MUST be considered, as well as the issuance of refresh tokens to public
> > > clients, their scope, and lifetime."
> > >
> > > I think it should be rewritten and reference relevant parts of security
> > > considerations.
> >
> > Text?
> >
> > EHL
> 
> Here is my stab:
> Allowing unauthenticated access by public clients has security ramifications. So does
> the issuance of refresh tokens to public clients. Such security ramifications MUST be
> considered. See section 10 for further details.
> 
> Huilan
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email