Re: [OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10

Derek Atkins <derek@ihtfp.com> Tue, 04 June 2013 02:42 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B9A21F896D for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 19:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.988
X-Spam-Level:
X-Spam-Status: No, score=-101.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRykDdaPaaNc for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 19:41:50 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) by ietfa.amsl.com (Postfix) with ESMTP id 7F31E21F8FA5 for <oauth@ietf.org>; Mon, 3 Jun 2013 19:00:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 148BA26023B; Mon, 3 Jun 2013 22:00:38 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 22278-10; Mon, 3 Jun 2013 22:00:36 -0400 (EDT)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 590BA2600C6; Mon, 3 Jun 2013 22:00:36 -0400 (EDT)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.5/8.14.5/Submit) id r5420XZc026436; Mon, 3 Jun 2013 22:00:33 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Justin Richer <jricher@mitre.org>
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <519652C9.5010303@mitre.org>
Date: Mon, 03 Jun 2013 22:00:32 -0400
In-Reply-To: <519652C9.5010303@mitre.org> (Justin Richer's message of "Fri, 17 May 2013 11:54:49 -0400")
Message-ID: <sjmvc5u4ou7.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard 1.0.2a
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 02:42:04 -0000

Justin Richer <jricher@mitre.org> writes:

>     I think the concern here is that rotation of client credential is not
>     something discussed before. Before we put it in the spec we should
>     consider the reasons for doing it and what problems it solves.
>
> The client doesn't get to choose when its credentials get rotated. It used to
> be able to, but now it's purely the server's choice, including whether or not
> it wants to rotate things at all. I think this confusion can be cleared up
> with the explicit lifecycle discussion getting pulled out into one place.

>From a security standpoint, either side should be able to rotate keys.
It should not be only one side's choice; either side should have the
option to refresh due to local policy (or worse, local knowledge of an
issue).

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant