IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

Leif Johansson <leifj@mnt.se> Thu, 15 September 2011 21:37 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A5421F8B7A for <oauth@ietfa.amsl.com>; Thu, 15 Sep 2011 14:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.842
X-Spam-Level:
X-Spam-Status: No, score=-2.842 tagged_above=-999 required=5 tests=[AWL=-0.243, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D38urx8EudY8 for <oauth@ietfa.amsl.com>; Thu, 15 Sep 2011 14:37:26 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 6175A21F8B6D for <oauth@ietf.org>; Thu, 15 Sep 2011 14:37:26 -0700 (PDT)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id p8FLdTaE014927 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Thu, 15 Sep 2011 23:39:37 +0200 (CEST)
Message-ID: <4E727091.6090005@mnt.se>
Date: Thu, 15 Sep 2011 23:39:29 +0200
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Lightning/1.0b2 Thunderbird/3.1.13
MIME-Version: 1.0
To: oauth@ietf.org
References: <4E6E4FEA.7090100@sunet.se> <4E6E735D.3050806@cs.tcd.ie> <CALeNzwkrNFR3vJQp8VX-QNhsJP+gyvakT7Cq6pns+qxvGDw2rg@mail.gmail.com> <CAEwGkqDmACMh=KONBQKVvJajSORkhpvbSBvEjGDwvbEmyOXE4g@mail.gmail.com> <095f76831bcc353b2e44abc354a1b300@mail.gmail.com>
In-Reply-To: <095f76831bcc353b2e44abc354a1b300@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 21:37:27 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/15/2011 10:08 PM, Greg Brail wrote:
> I understand and thanks for clarifying. I agree that there may be services
> that do not want to support HTTP Basic at all for their authorization
> flows and that requiring it would weaken the security of OAuth 2.0 and
> prevent its usage by some applications.

Thats why I said that whenever you have negotiation you must think
about downgrade attacks. There are ways to mitigate those - for instance
by re-examining the available methods/mechanisms once a secure channel
has been established.

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5ycJEACgkQ8Jx8FtbMZneO6QCfRWB6q7W7P5fZFOsNJKd6NT91
9E4AoJI3h6sB2O0ZZAQqt4OT4B4HG5T3
=+/QY
-----END PGP SIGNATURE-----

v2.15.0 | Report a Bug | By Email