Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

Bill Mills <wmills_92105@yahoo.com> Mon, 09 March 2015 16:32 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996D31A702A for <oauth@ietfa.amsl.com>; Mon, 9 Mar 2015 09:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7b9sOCrLz5CO for <oauth@ietfa.amsl.com>; Mon, 9 Mar 2015 09:31:59 -0700 (PDT)
Received: from nm30-vm0.bullet.mail.bf1.yahoo.com (nm30-vm0.bullet.mail.bf1.yahoo.com [98.139.213.126]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C4E61A8722 for <oauth@ietf.org>; Mon, 9 Mar 2015 09:31:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1425918718; bh=cNVGOGYE0IUV8EOhDKS2UVI6V71AxcBb47sYNhmZ1VQ=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=Ocv/f5FT4hp+itootksLk+YBfQv2kYAbaLp0OPN1vDRkvlxlomuuCLVaX40Xha+qFDuciXoYt3d6EwnLKhX7rWG2VASeri09TfJwCmUQY7x4x8HTbR05eYFTO+2fkLgIZcp6Erxi56wIxoGJOCFpo7j+waFqs3DW/n7Y+Eh183R2DLk1mmLqjAHnii/sZv4qLp8MVi9ltetDeoHNiCXtZbiFEFXxITbrt2N3KzPPeU4JGvLzymYj985WkFpfzG997EnXjczx1i6Og2eKYyRvFclijRXT7n76RHuB3fOhWZT/jujPKrarX4kpMpMCD2DnUV/VVNkeqYim9xVtW5T1Ug==
Received: from [66.196.81.173] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 16:31:58 -0000
Received: from [98.139.212.238] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 16:31:58 -0000
Received: from [127.0.0.1] by omp1047.mail.bf1.yahoo.com with NNFMP; 09 Mar 2015 16:31:58 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 298031.49025.bm@omp1047.mail.bf1.yahoo.com
X-YMail-OSG: ptr4qSUVM1lzS2JZChZHFX0zAFYTE8VffBLb5yS_MR1ytdxA3qhrvweMcnOXy_4 a_r5T.ZsDcJ9glBKI.hBV5WiCafep9UFLJPlFyqtM0KVeMRpm3ULK08wv_.GFlePzzAl9kv.NgGz EJWkN8sdRPZ_sM3smHUqnJGqASsSGhh6AaMH2JYwNrRcThDGefs7EGuoN6LQTzry7_.6k0R.5RC0 wcVjEh5W6.uwh9iZdnoDpzAQOguvAXW57.cbvg.tudF.bmk5CeOrb0d7Pv_i2QM61ZMIFQwx7Pm6 O85lU7CePj28irmyrGoalKBGR.c128GX9kfkcTP1l_sLgYkXN4MZH3ry.Byei.P14gfP1mjK3.AI xVDEkYoEbx6jnHiF0J2FT1RfrmNaureY1V_92czPLM28Ss49ArsYHNUfaWlh0JtPRMR1Tm_xBhIZ 3k6n6uzR0iQwylymEhYeuLbfwjgDD8AOpCMH7AxpJniPxRsTqGabSRT50yXxhl35e8vMN9NatCUq gN0wiDGzxJfFckrL.ur2qTS8SEUS6Y9AoIO9x
Received: by 66.196.81.111; Mon, 09 Mar 2015 16:31:57 +0000
Date: Mon, 9 Mar 2015 16:31:57 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <111147053.1610787.1425918717427.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A366B1571@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A366B1571@xmb-rcd-x10.cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1610786_725288088.1425918717414"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/kO_kmGqIdimPHtGpYzpW-gYCe0k>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 16:32:01 -0000

If this spec is about providing a single option for doing this as an option that's fine.  If it becomes MTI for using POP tokens at all  think that's a mistake.    OAuth 2 provides a framework and one optional token type, Bearer, which is not MTI.  That's a reasonable thing and would work here. 

     On Sunday, March 8, 2015 10:48 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
   

 #yiv6169713675 #yiv6169713675 -- _filtered #yiv6169713675 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6169713675 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6169713675 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6169713675 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv6169713675 #yiv6169713675 p.yiv6169713675MsoNormal, #yiv6169713675 li.yiv6169713675MsoNormal, #yiv6169713675 div.yiv6169713675MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6169713675 a:link, #yiv6169713675 span.yiv6169713675MsoHyperlink {color:blue;text-decoration:underline;}#yiv6169713675 a:visited, #yiv6169713675 span.yiv6169713675MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6169713675 p.yiv6169713675MsoAcetate, #yiv6169713675 li.yiv6169713675MsoAcetate, #yiv6169713675 div.yiv6169713675MsoAcetate {margin:0in;margin-bottom:.0001pt;font-size:8.0pt;}#yiv6169713675 p.yiv6169713675msonormal, #yiv6169713675 li.yiv6169713675msonormal, #yiv6169713675 div.yiv6169713675msonormal {margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv6169713675 span.yiv6169713675msohyperlink {}#yiv6169713675 span.yiv6169713675msohyperlinkfollowed {}#yiv6169713675 span.yiv6169713675emailstyle17 {}#yiv6169713675 p.yiv6169713675msonormal1, #yiv6169713675 li.yiv6169713675msonormal1, #yiv6169713675 div.yiv6169713675msonormal1 {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6169713675 span.yiv6169713675msohyperlink1 {color:blue;text-decoration:underline;}#yiv6169713675 span.yiv6169713675msohyperlinkfollowed1 {color:purple;text-decoration:underline;}#yiv6169713675 span.yiv6169713675emailstyle171 {color:#1F497D;}#yiv6169713675 span.yiv6169713675BalloonTextChar {}#yiv6169713675 span.yiv6169713675EmailStyle27 {color:#1F497D;}#yiv6169713675 .yiv6169713675MsoChpDefault {font-size:10.0pt;} _filtered #yiv6169713675 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv6169713675 div.yiv6169713675WordSection1 {}#yiv6169713675 In this use case RS and AS could be implemented and operated by different providers, MTI solves the interop issue.    -Tiru    From: Bill Mills [mailto:wmills_92105@yahoo.com]
Sent: Monday, March 09, 2015 11:10 AM
To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?    Explain to me why there should be one other than the desire to over-specify?  Why is one so clearly superior to any of the various possibilities that it should be mandated?    I do not think that there is any clearly superior mechanism and so making any particular one MTI is pointless and just likely to cause perfectly good implementations to be out of spec.    On Sunday, March 8, 2015 10:24 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:    Hi Bill,   Can you please provide more details why mandating specific key distribution mechanism is not appropriate especially in case of loosely coupled systems ?   -Tiru   From: Bill Mills [mailto:wmills_92105@yahoo.com]
Sent: Monday, March 09, 2015 10:27 AM
To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?   I do not believe making any specific key distribution MTI is aproprpiate.   On Sunday, March 8, 2015 8:06 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:   Hi Hannes,

http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism.

In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled).

Thoughts on which one should be mandatory to implement ?
(This question came up in ISEG review and probably would be a question for proof-of-possession work as well)

Thanks and Regards,
-Tiru 
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Saturday, March 07, 2015 12:30 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
> 
> Hi all,
> 
> does anyone have free cycles to review
> draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way
> that is similar to the proof-of-possession work with a new access token format.
> 
> Ciao
> Hannes
> 
> -------- Forwarded Message --------
> Subject: [saag] tram draft - anyone willing to help out?
> Date: Fri, 06 Mar 2015 15:43:57 +0000
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> To: saag@ietf.org <saag@ietf.org>
> 
> 
> Hiya,
> 
> There's a draft in IESG eval that attracted a bunch of perhaps fundamental
> discusses and comments [1] about its security properties. I think this may be one
> where the authors could do with a bit more help from the security
> mafia^H^H^H^H^Hcommunity.
> (I looked at their wg list and only see a v. thin smattering of names I'd recognise
> from this list.) So if you're willing and have a little time, please let me know
> and/or get in touch with the authors.
> 
> And btw - this might not seem so important but I'd worry it may end up being a
> major source of system level vulnerabilities for WebRTC deployments if we get it
> wrong and many sites don't deploy usefully good security for this bit of the
> WebRTC story.
> 
> Thanks in advance,
> S.
> 
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth