Re: [OAUTH-WG] "shared symmetric secret"
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Tue, 13 July 2010 15:45 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2054E3A6848 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 08:45:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.216
X-Spam-Level:
X-Spam-Status: No, score=-2.216 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SlVMQEZ0RllI for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 08:45:09 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id 31BAB3A6A30 for <oauth@ietf.org>; Tue, 13 Jul 2010 08:45:09 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id o6DFjCti020903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Jul 2010 10:45:12 -0500 (CDT)
Received: from [135.244.39.28] (faynberg.lra.lucent.com [135.244.39.28]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o6DFjBhY016739; Tue, 13 Jul 2010 10:45:12 -0500 (CDT)
Message-ID: <4C3C8A08.40103@alcatel-lucent.com>
Date: Tue, 13 Jul 2010 11:45:12 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <C861C3D4.37148%eran@hueniverse.com>
In-Reply-To: <C861C3D4.37148%eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 15:45:10 -0000
I tend to agree with Eran, although it should be qualified that a token is BASED on a shared secret, rather than is a shared secret itself. (By the way, I think the word "symmetric" is redundant here.). I also think that the text in the Security Considerations must contain the last paragraph of Eran's message. Probably the recommendation not to store the token on the server, along with the suggestion of storing the hash should also be in place. Igor Eran Hammer-Lahav wrote: > >From the client's perspective, they are 'shared symmetric secrets' because > the client has to store them as-is and present them as-is. The act exactly > like passwords. I added that text to make that stand out. > > When using passwords, the server doesn't need to store them in plain-text > either (e.g. uses a way one hash). > > I would like the specification to make it clear that bearer tokens are only > secure while they remain *secret* and that *anyone* holding them can gain > full access to what their protect. > > EHL > > On 7/12/10 10:39 PM, "Brian Eaton" <beaton@google.com> wrote: > > >> Section 5: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 >> >> Calling access tokens "shared symmetric secrets" is misleading, >> because if they are implemented well the authorization server and >> protected resource do not store a copy of the secret. >> >> Instead they store a one-way hash of the token. Or they verify the >> token cryptographically. Under no circumstances do they need to store >> a copy. >> >> I'd suggest the following language: >> >> "Access tokens are bearer authentication tokens or capabilities." >> >> Cheers, >> Brian >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Dirk Balfanz
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Richer, Justin P.
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Blaine Cook
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Blaine Cook
- Re: [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Evan Gilbert
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Evan Gilbert