[OAUTH-WG] MAC Token Comments
Justin Richer <jricher@mitre.org> Fri, 12 August 2011 18:43 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2F221F8538 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 11:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.562
X-Spam-Level:
X-Spam-Status: No, score=-6.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srie5dOmbqWi for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 11:43:47 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE5E21F8520 for <oauth@ietf.org>; Fri, 12 Aug 2011 11:43:47 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 68DD921B1A15 for <oauth@ietf.org>; Fri, 12 Aug 2011 14:44:22 -0400 (EDT)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6583A21B1A12 for <oauth@ietf.org>; Fri, 12 Aug 2011 14:44:22 -0400 (EDT)
Received: from [129.83.50.1] (129.83.50.1) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.3.192.1; Fri, 12 Aug 2011 14:44:22 -0400
From: Justin Richer <jricher@mitre.org>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Date: Fri, 12 Aug 2011 14:43:48 -0400
Message-ID: <1313174628.22073.135.camel@ground>
MIME-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: "Anganes, Amanda L" <aanganes@mitre.org>
Subject: [OAUTH-WG] MAC Token Comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 18:43:48 -0000
2: MAC Key: "The server MUST NOT reissue a previously issued MAC key and MAC key identifier combination." 3: I would still like to see a binding for post body and url parameters. This could be as simple as defining a set of parameter names for everything used in the auth header, but I'm still given the impression that this has been deemed outside the scope of the MAC token. Our use case is to pass around signed URLs between servers with all query parameters protected by the signature, which we use 2-legged OAuth 1.0 for today. We can try to get language for this together if there's enough draw for it, but I haven't been hearing that from other folks yet so we might just try to draft an extension to the extension, instead. 5: This section's wording should be brought more in line with the descriptions of the OAuth protocol in both core and bearer, which in turn should actually be a bit closer together themselves. Seems like we need a succinct elevator pitch for "what is OAuth2" to drop into all of these locations (and other extension specs) -- anybody want to take a crack at distilling one from these three sources? 7.9: Grammar tweak: "Those designing additional methods should evaluate the compatibility of the normalized request string with their own security requirements." -- Justin Richer
- [OAUTH-WG] MAC Token Comments Justin Richer
- Re: [OAUTH-WG] MAC Token Comments William J. Mills
- Re: [OAUTH-WG] MAC Token Comments William Mills
- Re: [OAUTH-WG] MAC Token Comments Eran Hammer-Lahav