IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

John Kemp <john@jkemp.net> Tue, 13 July 2010 19:36 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 007EB3A6A8A for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvJH0srKLFa3 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:36:06 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id D97A43A6B2E for <oauth@ietf.org>; Tue, 13 Jul 2010 12:33:24 -0700 (PDT)
Received: (qmail 11092 invoked by uid 0); 13 Jul 2010 19:32:00 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy2.bluehost.com with SMTP; 13 Jul 2010 19:32:00 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=SgSSkkI3Z6u+c5hMw/J7mJ9gVLu27ESnqobhahjdjlbfpIE1Tmx35PIH3GTb0t1pUTVGvfSnuVQuSfuVF1JRFb9Oa4csAf/EnWmePjv+fQncYDI+Ry9aPfxARQzKPrcc;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.112]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1OYlCy-0005gX-39; Tue, 13 Jul 2010 13:32:00 -0600
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="windows-1252"
From: John Kemp <john@jkemp.net>
In-Reply-To: <AANLkTimKH9OL3zq91lTCK8_EuCefcifPfqslb24zytv7@mail.gmail.com>
Date: Tue, 13 Jul 2010 15:31:58 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <93F20A70-3133-4C5A-BE15-9C85F1D42787@jkemp.net>
References: <97BD2762-F147-4774-9557-AD478338B348@jkemp.net> <C861F32E.371BA%eran@hueniverse.com> <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG> <AANLkTimKH9OL3zq91lTCK8_EuCefcifPfqslb24zytv7@mail.gmail.com>
To: Blaine Cook <romeda@gmail.com>
X-Mailer: Apple Mail (2.1081)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 19:36:31 -0000

On Jul 13, 2010, at 3:03 PM, Blaine Cook wrote:

> +1 on "like a password", or something similar-and-meaningful because
> that's exactly how it's being used here. Pre-shared key, shared
> secret, etc, would be fine. Keep in mind that authentication *will be
> done* using the bearer token, and the bearer token alone.

Where is that specified? Is that required for all implementations?

> 
> An OAuth token is unlike capabilities in that capabilities tend to be
> bound to addressable data – in most OAuth deployments, the data
> addressing is separate from the token.

A capability, basically, is a reference to an object and the permission to use it, bound together. Possession of the capability is enough to authorize the use of the reference. Bearer tokens follow roughly that model. They are about authorization and MAY be used alone for authentication, but may also be used with (specified, or not, in OAuth) other mechanisms for authentication. At least I hope that is the model (not to *require* servers to authenticate using the bearer token alone even if *some* implementations do that)?

- johnk

> 
> b.
> 
> On 13 July 2010 19:46, Richer, Justin P. <jricher@mitre.org> wrote:
>>>> I would be very unhappy if we equated access tokens with passwords.
>>>> 
>>>> I agree with Dirk that "capability" is a more expressive phrase than either
>>>> "shared secret" or "password".
>> 
>>> Expressive to you and people well-versed in security theory. It means
>>> nothing to a casual reader. The token definition includes the term, but in
>>> this section, it is referring to how an access token is used, and it is used
>>> just like a password.
>> 
>>  Definitely agree with Eran here. The term "capability" doesn't mean much to me in this circumstance, but "like a password" tells me exactly what I, as an implementer, can expect.
>> 
>>  -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.40.3 | Report a Bug | By Email | System Status