IETF Logo Mail Archive

Re: [OAUTH-WG] Flowchart for legs of OAuth

Skylar Woodward <skylar@kiva.org> Fri, 08 April 2011 18:25 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 187C03A69E2 for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 11:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.742
X-Spam-Level:
X-Spam-Status: No, score=-5.742 tagged_above=-999 required=5 tests=[AWL=0.857, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ddYYl1dQOrP for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 11:25:29 -0700 (PDT)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) by core3.amsl.com (Postfix) with SMTP id 2A14B3A699C for <oauth@ietf.org>; Fri, 8 Apr 2011 11:25:29 -0700 (PDT)
Received: from mail-pv0-f180.google.com ([74.125.83.180]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKTZ9TgvBAG/zkHrgqguqHgHJfla8d0mTp@postini.com; Fri, 08 Apr 2011 11:27:15 PDT
Received: by pvg2 with SMTP id 2so2294047pvg.11 for <oauth@ietf.org>; Fri, 08 Apr 2011 11:27:14 -0700 (PDT)
Received: by 10.142.2.3 with SMTP id 3mr2162099wfb.172.1302287233872; Fri, 08 Apr 2011 11:27:13 -0700 (PDT)
Received: from [10.0.1.9] (c-24-5-80-5.hsd1.ca.comcast.net [24.5.80.5]) by mx.google.com with ESMTPS id w32sm3950234wfh.7.2011.04.08.11.27.12 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 08 Apr 2011 11:27:12 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <4D9F3425.1030405@lodderstedt.net>
Date: Fri, 08 Apr 2011 11:27:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <1E4E0315-235F-4504-A1F8-A76DE9721645@kiva.org>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <BANLkTik5u5+jjTwnwNCQVyzMux4aMB98yg@mail.gmail.com> <5710F82C0E73B04FA559560098BF95B12505F041B5@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4D9A318D.3090908@lodderstedt.net><38AE5D29-996A-49AA-89A0-3A15AB4C0823@kiva.org> <1567368214-1301980513-cardhu_decombobulator_blackberry.rim.net-2135712133-@b1.c11.bise7.blackberry> <57E21FB2-6030-4485-BA46-0E12245E9D63@kiva.org> <4D9EAAA2.9030809@lodderstedt.net> <D76D1310-67EE-4CEB-8B0B-15FD63BA3DA3@kiva.org> <4D9F3425.1030405@lodderstedt .net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1082)
Cc: Kris Selden <kris.selden@gmail.com>, "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 18:25:30 -0000

Torsten, that's what the spec recommends already. That's my assumption for everything I've discussed thus far - that clients who can't keep secrets are never issued them and thus must omit them out of lack of having any.

We're just splitting hairs on the definition of "omit."  Also, there's confusion because not everyone has considered the alternative client auth methods apart from the 3.1 password mechanism. I feel a more productive discussion would be to discuss the details of what it means for a client to "omit" secrets for various auth mechanisms. So

- password auth
- HTTP MAC auth
- HTTP Basic?

Additionally if the Password Auth mechanism forbids omission of secrets (including sending empty string as a secret) then we should suggest an alternative, or advise that providers must use another self-defined mechanism for passing unauthenticated client IDs if they wish to require them for record tracking purposes.

skylar


On Apr 8, 2011, at 9:13 AM, Torsten Lodderstedt wrote:

> 
>>>> As to the question of interoperability, the fact that OAuth allows freedom of choice to the AS for method of authentication makes this point moot. Would you agree? (short of various providers could pooling together to standardize on an auth method outside of the spec).
> 
> One possible standard for clients without the capability to protect secrets would be to just omit secrets. Do you agree?
> And the spec itself could (should in my opinion) set this standard.
> 
> regards,
> Torsten.

v2.23.0 | Report a Bug | By Email