IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Discussions

Justin Richer <jricher@mitre.org> Mon, 17 September 2012 14:13 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4A121F869E; Mon, 17 Sep 2012 07:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.071
X-Spam-Level:
X-Spam-Status: No, score=-6.071 tagged_above=-999 required=5 tests=[AWL=-0.472, BAYES_00=-2.599, J_BACKHAIR_22=1, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwBqdI404h0e; Mon, 17 Sep 2012 07:13:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E139D21F8644; Mon, 17 Sep 2012 07:13:33 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BD99E21B199A; Mon, 17 Sep 2012 10:13:32 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A7F4021B1997; Mon, 17 Sep 2012 10:13:32 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.1; Mon, 17 Sep 2012 10:13:32 -0400
Message-ID: <50573008.7090200@mitre.org>
Date: Mon, 17 Sep 2012 10:13:28 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <OF6192366F.9DD38E70-ON48257A76.0011F223-48257A76.001221CB@zte.com.cn> <5057136C.6070600@gmx.net>
In-Reply-To: <5057136C.6070600@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.58]
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Security Discussions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 14:13:34 -0000

On 09/17/2012 08:11 AM, Hannes Tschofenig wrote:
>> Since it is prefered to have long lived key shared between AS and RS in
>> this WG,
>> Is there any consideration for this key distribution and its security
>> requirements?
> So far we have had only discussions regarding the standardization of the
> AS<->RS server interaction in the context of the UMA work.
>
> You may want to have a look at
> http://tools.ietf.org/html/draft-hardjono-oauth-umacore
>
Not quite true. There's also the token introspection, like Ping has 
published[1] or what AOL or MITRE have both implemented. You also have 
to account for those using structured tokens (like JWTs) with signatures 
to communicate using the token itself, analogous to SAML assertions.

When we brought it up during the re-chartering discussion, there seemed 
to be a number of folks willing to work on publishing something in this 
area.

  -- Justin

[1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html

v2.23.0 | Report a Bug | By Email