Re: [OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10

Justin Richer <jricher@mitre.org> Tue, 04 June 2013 17:34 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B2221F9BAF for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 10:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.915
X-Spam-Level:
X-Spam-Status: No, score=-5.915 tagged_above=-999 required=5 tests=[AWL=0.684, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0+56TTK06Hlj for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 10:34:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C568A21F9EE9 for <oauth@ietf.org>; Tue, 4 Jun 2013 09:03:57 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5C9131F036A; Tue, 4 Jun 2013 12:03:52 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4C3DE1F0377; Tue, 4 Jun 2013 12:03:52 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 4 Jun 2013 12:03:52 -0400
Message-ID: <51AE0FBA.1010805@mitre.org>
Date: Tue, 4 Jun 2013 12:03:06 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Derek Atkins <derek@ihtfp.com>
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <519652C9.5010303@mitre.org> <sjmvc5u4ou7.fsf@mocana.ihtfp.org>
In-Reply-To: <sjmvc5u4ou7.fsf@mocana.ihtfp.org>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 17:34:53 -0000

We used to have a mechanism for clients to rotate their client secret, 
but that was removed some drafts ago, after list discussion on its utility.

  -- Justin

On 06/03/2013 10:00 PM, Derek Atkins wrote:
> Justin Richer <jricher@mitre.org> writes:
>
>>      I think the concern here is that rotation of client credential is not
>>      something discussed before. Before we put it in the spec we should
>>      consider the reasons for doing it and what problems it solves.
>>
>> The client doesn't get to choose when its credentials get rotated. It used to
>> be able to, but now it's purely the server's choice, including whether or not
>> it wants to rotate things at all. I think this confusion can be cleared up
>> with the explicit lifecycle discussion getting pulled out into one place.
>  From a security standpoint, either side should be able to rotate keys.
> It should not be only one side's choice; either side should have the
> option to refresh due to local policy (or worse, local knowledge of an
> issue).
>
> -derek