Re: [OAUTH-WG] OAuth Security Discussions
John Bradley <ve7jtb@ve7jtb.com> Mon, 17 September 2012 16:36 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E55BF21F86FA for <oauth@ietfa.amsl.com>; Mon, 17 Sep 2012 09:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.981
X-Spam-Level:
X-Spam-Status: No, score=-2.981 tagged_above=-999 required=5 tests=[AWL=-0.382, BAYES_00=-2.599, J_BACKHAIR_22=1, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqgDDzHCNEbt for <oauth@ietfa.amsl.com>; Mon, 17 Sep 2012 09:36:52 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4A95421F86EA for <oauth@ietf.org>; Mon, 17 Sep 2012 09:36:52 -0700 (PDT)
Received: by qcac10 with SMTP id c10so5436662qca.31 for <oauth@ietf.org>; Mon, 17 Sep 2012 09:36:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=1MrZ9CPUJWEucW/qVsorGc4IcwD26LnyBRZBBOh5FZE=; b=Mc0L6HRlCuJVDLZotXFhEZI1YSG1FzIA3FYnUyPX09m4p/Gcn2nIc28lVUaeOpS0yo vtws/hjcxrEFhi2OACZtcQ4ICu6aY1vWZ7ukTPP9oGgKBEdfZr1zaYZ9iE9cw6BZQbTd ZcadU7JxAD4fWbXjisMVNNLfpkCXkEc9GiPGS7YyKljErIhEFu3QcXre1bQbzOekTT4y xBFL+SJhUzPEVZ61NrWj0ABQsC32InqiKLKlE+DXOEvn7z7zo2EOxC0lnXzgFDcMTwYl mksGX7m0Il6LNM3Vq1F7x5mDdtZ1VNwJBDeVIWmazwYPJ8y14bdgHp19uHanzTsUiP7u iGqQ==
Received: by 10.229.69.82 with SMTP id y18mr7633258qci.156.1347899811683; Mon, 17 Sep 2012 09:36:51 -0700 (PDT)
Received: from [192.168.1.211] (190-20-12-236.baf.movistar.cl. [190.20.12.236]) by mx.google.com with ESMTPS id e5sm15809738qao.11.2012.09.17.09.36.40 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Sep 2012 09:36:42 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <50573008.7090200@mitre.org>
Date: Mon, 17 Sep 2012 13:36:33 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <7B7DC2ED-8284-4D1B-9FA5-61667F7951A9@ve7jtb.com>
References: <OF6192366F.9DD38E70-ON48257A76.0011F223-48257A76.001221CB@zte.com.cn> <5057136C.6070600@gmx.net> <50573008.7090200@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1486)
X-Gm-Message-State: ALoCoQk+6zm453avijVKJsevy6h5ODoNuCMKSvSVmeosYo1ryiBLB9hmhBMULz0oUORZh3UOaSU6
Cc: oauth-bounces@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Security Discussions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 16:36:53 -0000
I have had interest from a number of people in standardizing a AS -> RS introspection method. Ping is happy to contribute our draft as a starting point for work. The OAuth WG doesn't have this as a work item at the moment. We could do it as a ID with a number of contributors or find another place to work on it, and then contribute it similar to OAuth itself. What are people's thoughts. It is something that I am seeing customers ask for. John B. On 2012-09-17, at 11:13 AM, Justin Richer <jricher@mitre.org> wrote: > On 09/17/2012 08:11 AM, Hannes Tschofenig wrote: >>> Since it is prefered to have long lived key shared between AS and RS in >>> this WG, >>> Is there any consideration for this key distribution and its security >>> requirements? >> So far we have had only discussions regarding the standardization of the >> AS<->RS server interaction in the context of the UMA work. >> >> You may want to have a look at >> http://tools.ietf.org/html/draft-hardjono-oauth-umacore >> > Not quite true. There's also the token introspection, like Ping has published[1] or what AOL or MITRE have both implemented. You also have to account for those using structured tokens (like JWTs) with signatures to communicate using the token itself, analogous to SAML assertions. > > When we brought it up during the re-chartering discussion, there seemed to be a number of folks willing to work on publishing something in this area. > > -- Justin > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- [OAUTH-WG] some comments Re: OAuth Security Discu… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] some comments Re: OAuth Security D… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions Justin Richer
- Re: [OAUTH-WG] OAuth Security Discussions Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Discussions John Bradley
- [OAUTH-WG] 答复: Re: some comments Re: OAuth Securi… zhou.sujing
- Re: [OAUTH-WG] OAuth Security Discussions zhou.sujing