IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

John Kemp <john@jkemp.net> Tue, 13 July 2010 17:24 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 027653A6840 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 10:24:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9Vn4xwNdubY for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 10:24:57 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id D130E3A6824 for <oauth@ietf.org>; Tue, 13 Jul 2010 10:24:57 -0700 (PDT)
Received: (qmail 16077 invoked by uid 0); 13 Jul 2010 17:25:06 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 13 Jul 2010 17:25:06 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=uYqIfjAMvIUTRQhoZQAgwYIZFj+C7ppTB63Pv2PiFZNvv6zwPjNl2Xh+Umfwobg50CNXptEkWACsqB/EMxC8ZPcQCLtTcOjPhO3A1Z2iewXni/0joXPt7iHQIG144u3n;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.112]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1OYjEA-000370-2e; Tue, 13 Jul 2010 11:25:06 -0600
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="windows-1252"
From: John Kemp <john@jkemp.net>
In-Reply-To: <C861DC13.37160%eran@hueniverse.com>
Date: Tue, 13 Jul 2010 13:25:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <97BD2762-F147-4774-9557-AD478338B348@jkemp.net>
References: <C861DC13.37160%eran@hueniverse.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1081)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 17:24:59 -0000

On Jul 13, 2010, at 12:02 PM, Eran Hammer-Lahav wrote:

> I am ok replacing it with ‘acts as a password’.

An access token is something used by the server to decide whether a request is authorized. Although it may also be used for authenticating the request(er), it's purpose is to authorize the request. 

In the "bearer token" case (and even over SSL unless client certs are used), the token clearly SHOULD NOT be used as a password. Rather, authentication should be performed by some other mechanism, unrelated to the token itself (such as an HMAC, or via client-certificate SSL/TLS, or even via an actual username/password) 

I would be very unhappy if we equated access tokens with passwords. 

I agree with Dirk that "capability" is a more expressive phrase than either "shared secret" or "password". 

Regards,

- johnk

> 
> EHL
> 
> 
> On 7/13/10 8:55 AM, "Dirk Balfanz" <balfanz@google.com> wrote:
> 
> 
> 
> On Tue, Jul 13, 2010 at 7:18 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> From the client's perspective, they are 'shared symmetric secrets' because
> the client has to store them as-is and present them as-is. The act exactly
> like passwords. I added that text to make that stand out.
> 
> When using passwords, the server doesn't need to store them in plain-text
> either (e.g. uses a way one hash).
> 
> That's why we don't call passwords "shared symmetric secrets", either. The verifier of a passwords can verify it without knowing the secret. In that sense, it's not "shared" with the verifier. 
> 
> I would like the specification to make it clear that bearer tokens are only
> secure while they remain *secret* and that *anyone* holding them can gain
> full access to what their protect.
> 
> I think the word "capability" expresses that better than the word "shared secret". 
> 
> Dirk.
>  
> 
> EHL
> 
> On 7/12/10 10:39 PM, "Brian Eaton" <beaton@google.com> wrote:
> 
> > Section 5: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5
> >
> > Calling access tokens "shared symmetric secrets" is misleading,
> > because if they are implemented well the authorization server and
> > protected resource do not store a copy of the secret.
> >
> > Instead they store a one-way hash of the token.  Or they verify the
> > token cryptographically.  Under no circumstances do they need to store
> > a copy.
> >
> > I'd suggest the following language:
> >
> > "Access tokens are bearer authentication tokens or capabilities."
> >
> > Cheers,
> > Brian
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.40.1 | Report a Bug | By Email | System Status