Re: [OAUTH-WG] OAuth Security Discussions
Justin Richer <jricher@mitre.org> Mon, 17 September 2012 14:13 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4A121F869E; Mon, 17 Sep 2012 07:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.071
X-Spam-Level:
X-Spam-Status: No, score=-6.071 tagged_above=-999 required=5 tests=[AWL=-0.472, BAYES_00=-2.599, J_BACKHAIR_22=1, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwBqdI404h0e; Mon, 17 Sep 2012 07:13:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E139D21F8644; Mon, 17 Sep 2012 07:13:33 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BD99E21B199A; Mon, 17 Sep 2012 10:13:32 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A7F4021B1997; Mon, 17 Sep 2012 10:13:32 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.318.1; Mon, 17 Sep 2012 10:13:32 -0400
Message-ID: <50573008.7090200@mitre.org>
Date: Mon, 17 Sep 2012 10:13:28 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <OF6192366F.9DD38E70-ON48257A76.0011F223-48257A76.001221CB@zte.com.cn> <5057136C.6070600@gmx.net>
In-Reply-To: <5057136C.6070600@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.58]
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Security Discussions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 14:13:34 -0000
On 09/17/2012 08:11 AM, Hannes Tschofenig wrote: >> Since it is prefered to have long lived key shared between AS and RS in >> this WG, >> Is there any consideration for this key distribution and its security >> requirements? > So far we have had only discussions regarding the standardization of the > AS<->RS server interaction in the context of the UMA work. > > You may want to have a look at > http://tools.ietf.org/html/draft-hardjono-oauth-umacore > Not quite true. There's also the token introspection, like Ping has published[1] or what AOL or MITRE have both implemented. You also have to account for those using structured tokens (like JWTs) with signatures to communicate using the token itself, analogous to SAML assertions. When we brought it up during the re-chartering discussion, there seemed to be a number of folks willing to work on publishing something in this area. -- Justin [1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html
- [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- [OAUTH-WG] some comments Re: OAuth Security Discu… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Justin Richer
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions John Bradley
- [OAUTH-WG] 答复: Re: some comments Re: OAuth Securi… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing