IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac

Bill Mills <wmills_92105@yahoo.com> Tue, 16 July 2013 01:24 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1749011E8118 for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 18:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.669
X-Spam-Level:
X-Spam-Status: No, score=-1.669 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0nvrVZdAdIf for <oauth@ietfa.amsl.com>; Mon, 15 Jul 2013 18:24:00 -0700 (PDT)
Received: from nm47-vm9.bullet.mail.bf1.yahoo.com (nm47-vm9.bullet.mail.bf1.yahoo.com [216.109.114.218]) by ietfa.amsl.com (Postfix) with ESMTP id 8515521F99F6 for <oauth@ietf.org>; Mon, 15 Jul 2013 18:23:59 -0700 (PDT)
Received: from [98.139.215.142] by nm47.bullet.mail.bf1.yahoo.com with NNFMP; 16 Jul 2013 01:23:59 -0000
Received: from [98.139.212.246] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 16 Jul 2013 01:23:58 -0000
Received: from [127.0.0.1] by omp1055.mail.bf1.yahoo.com with NNFMP; 16 Jul 2013 01:23:58 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 895743.59085.bm@omp1055.mail.bf1.yahoo.com
Received: (qmail 41231 invoked by uid 60001); 16 Jul 2013 01:23:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1373937838; bh=mqZM+J4+DXXVY90LetemSv4C3tBHcCjNTwrVDGIoCjs=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=d9CFxvPYTrxZTnP93TWQkM9qQ8EuwPuP3N0HXxO3HQvu+fYhO53AhOtnyHp1ps/1+hIQltGOjpYj36Rw2SPqqS/HcKEiNZ4W64jq2HpT1O2VLGcE4w1Kx4Z0spOOCHTKwNh7+nwcxHHQRSZGoKNgLlfa9G6yfcjtXkTJoz+SzWI=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Of2sqHEen4tBUbaWkW51j3kbGGUPSDg3opkPKaFcdIPGxaK446xk2UjlkUR/j7+mqLps5mF5GAPvb4JZy2iB/YkdrCpndWSdZ3QQB1LBAle/xEN2cHm1A6uZ+E5NRa67F1GRhGGwVX2xBjia5DtEsiWwelq5IzM7wgJWeFUCtX8= ;
X-YMail-OSG: KSbq1CMVM1nR.GQ1iFfJ15ijjm8LF4e1Hyfs1ZTaOdyb2M1 YWYLizSVj0699CkiHPamn6kBAWB5m1yUau6TX_4ZLmrF.yspKRnDUv1t0zvv UwenQh4SOvoocwGwgszV.e.Ri6Di5NdIEZdYlwoshZUisZEoRlD20S.Cp1g. EEFeTEionNijmnO66VR.lwYmhqDDhzu_clt3n0V2h0FHEhtjkXNYOF1rRzii hDaxwSJJNHfZayCvM4nnxWJTfHox9TGtjQitU12BhbhwjHsD.50VR.arzwE4 Y66p3_uIRfGiQDXBGyyX3QDxH_SAWk1sIKJebGq_fDTydpMlzOp_0aBTQjco ZVp7wq.6T7a3FV5Bb0MYbLaMKTP1VQw.w_DlE1vWltul6R8UK94qy1NMOacH 67KfecKT5CN61NkjzBj.Kc9KYPB69XQXtGvzoURABb7EXtnmY3rYMbHel8mi m9._MQg5sgxxpB_uHbY9roX25dKtWG_jZ4H3wnJHp2vCHuFwdK8JKvj5w5LF CJJi_fowtzR9OoYZyHKYNPf7kjXlgvOQlW4GH6kqxMgn7gQQ7P5Cw3oHhFOe KfuKf6K.7MCHzkCLJeMYtiQzEIliGBCs6Oesh3FrOGzgcssNwx7g1OIB5LWk jbAU2mWSCxsSFDO2Gk5ZITRHNB0tb
Received: from [209.131.62.113] by web142801.mail.bf1.yahoo.com via HTTP; Mon, 15 Jul 2013 18:23:58 PDT
X-Rocket-MIMEInfo: 002.001, U2VjdGlvbiA0LjI6CgoiYWNjb21wbGlzaGVkIGJ5IGNvbnZleWluZyB0aGUgZW5jcnlwdGluZyBtYWNfa2V5IGluc2lkZSB0aGUgYWNjZXNzIHRva2VuIiB0aGUgdXNlIG9mICJlbmNyeXB0aW5nIiBpcyB3cm9uZyB0aGVyZSBJIHRoaW5rIGRpZCB5b3UgbWVhbiBlbmNyeXB0ZWQ_CgpTZWN0aW9uIDUuMTogwqBUaGUgQk5GIGlzIHdyb25nIEkgdGhpbms6CgotImlkIiBpcyB1bmRlcmZpbmVkLCBpbnN0ZWFkIHlvdSBkZWZpbmUga2lkCi13aGVyZSBpcyBhIGZpZWxkIHNlcGFyYXRvciBkZWZpbmVkPwotd2hpdGUBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.148.557
References: <DD60BBE0-5859-4D81-9DA1-EB413FF4BA8E@gmx.net> <51E45994.7090708@gmail.com> <A91B5807-A357-4FAA-A5DC-60978E7B7208@gmx.net>
Message-ID: <1373937838.15298.YahooMailNeo@web142801.mail.bf1.yahoo.com>
Date: Mon, 15 Jul 2013 18:23:58 -0700
From: Bill Mills <wmills_92105@yahoo.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Sergey Beryozkin <sberyozkin@gmail.com>
In-Reply-To: <A91B5807-A357-4FAA-A5DC-60978E7B7208@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="469468616-1149639785-1373937838=:15298"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 01:24:05 -0000

Section 4.2:

"accomplished by conveying the encrypting mac_key inside the access token" the use of "encrypting" is wrong there I think did you mean encrypted?

Section 5.1:  The BNF is wrong I think:

-"id" is underfined, instead you define kid
-where is a field separator defined?
-whitespace is just bad news here I think, there's no requirement in the BNF to quote strings with whitespace.

Additional comments:

0) Section 5.2 needs a lot more, yes?

1) timestamp isn't great for replay protection, if strong replay protection is needed we should require a nonce or sequence number.

2) why does kid need to be in the MAC header?  In fact, why is it required at all?


-bill



________________________________
 From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Sergey Beryozkin <sberyozkin@gmail.com> 
Cc: oauth@ietf.org 
Sent: Monday, July 15, 2013 1:36 PM
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-http-mac
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Sergey, 

sorry that I missed your earlier questions. 

On Jul 15, 2013, at 10:20 PM, Sergey Beryozkin wrote:

> Hi Hannes, All,
> 
> Thanks for the update.
> 
> I asked last time but did not get an answer:
> - why the use of access token is mandated to be 'conditional' - if you think I need to read the text more carefully, then please do not hesitate to say so :-), I'll give it a try
> 
The reason is that the keying material associated with the access token may be cached by client and the resource server. Hence, you may not need to send the access token with every request. 

I am working on some examples that will illustrate this nicely. 

> - Reading "Session Key Transport to Resource Server" section makes me nervous. May be I'm missing the point, but I wonder, what happened to that draft which had a chance to go mainstream ? Do editors target a new MAC token at large OAuth2 implementers only ? It appears to me the focus is more on getting JWT more recognized as opposed to making a simple MAC scheme working...I'm sorry if I sound like I've no clue what I'm talking about, but please make this section read such that people can implement the scheme without having to know what JWT or a dynamic introspection mechanism is

In Section 4 we discuss different key distribution mechanisms. There has to be a story for how the session key gets from the Authorization Server securely to the Resource Server. 
Not discussing that topic (like done before) does not make the issue go away and so we describe the options. We will not get through the IETF process without having an answer to that question. 

Hence, the only question is: which key distribution mechanism do you like most? I had asked that question to the group before and the consensus so far was "stick the key in the access token".  This is what Section 4.2 currently describes. 

I am happy to describe that in a better way in the document if you think that the story does not get across well. 

Ciao
Hannes

> 
> Best Regards
> Sergey
> 
> On 15/07/13 18:29, Hannes Tschofenig wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> 
>> Hi all,
>> 
>> we have submitted an update to the MAC token document. From the changes to the previous version you will see that we have incorporated text written during the design team discussions earlier this year into the appendix. I hope that this provides additional background about the threats, use cases, and security requirements. Phil has joined us as a co-author (since he was heavily involved in the work on the incorporated text).
>> 
>> There is, however, still work to be done. The body of the document still needs a lot of work to get the specification to level of detail that we can start the WGLC.
>> 
>> Anyway, here is the updated  document:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-http-mac
>> 
>> Ciao
>> Hannes
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> 
>> iQEcBAEBCgAGBQJR5DF6AAoJEGhJURNOOiAtD1YIAKZYojwcZ1H8MqWtvJTv9/81
>> YLIW7kUraNlwUelTRu4WoakYDGmcG8gPHr4LjbVWhhtcSOIHqDsEYeCuEqPTBPbZ
>> Gv5tG7B5SKS7Cn540f5ZVGNsIhGqSdpBpdRau2o8WKlD3HwgOHKeLgBfhF7fkWhc
>> 3xDo2lS3Q6khwPW2VrnP1fpUS2vs2sMq+zWBYwk0+onHcdSVsonF0+gPkg0aaXnO
>> gMZML5KecISt7UHI8r4ZduCkPq1Hhk3Rdp7XW3KOnJRO1DNeShjI20k52sU6Y33Q
>> mmATLQoqyb9ld2gZIspS3w0eGfKkO843ImwTCjtLMHWH50rYGuv0oue5Lf0x0n8=
>> =fDtL
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJR5F1RAAoJEGhJURNOOiAteosIAJx3WPuvRgMLkal1S+8yNYZa
OXkBwDBW9bik0FX683Dw7HFzAoTuGyGuV1mb6oUIsd2NZfBgN4l9Gs24VrUlbndh
MjZRJ9+23NrZd/uVo0t3w3eEdTS0OjKGz8j9AO+gFBFDCtoqTu8CSmbi2hG9v/j0
tn7891snryz77Gg/D1zlkSS4njt0M9Gl5eaMmU5R13p2wbfpL0k2Qqs3XumAeSSO
y/jgCJ4lXaLp2HepdfEvjdYwCM8cOzYJ2vvePJ/39jYNMqifmJfk3hVHcFTP4TM4
ers2hZBe0iTkc0aICmdtwyK0VtFPGGa4XvfHGTWQ+g0hBZxmfLxIY3VGZVun4Q8=
=677/
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email