Re: [OAUTH-WG] Shepherd Writeup for draft-ietf-oauth-spop-06.txt

John Bradley <ve7jtb@ve7jtb.com> Wed, 18 February 2015 20:28 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E33FD1A0127 for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 12:28:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_orHb-gwNoW for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 12:28:25 -0800 (PST)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77F71A00B7 for <oauth@ietf.org>; Wed, 18 Feb 2015 12:28:24 -0800 (PST)
Received: by pdjz10 with SMTP id z10so3644657pdj.0 for <oauth@ietf.org>; Wed, 18 Feb 2015 12:28:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=wGOxobwl66XAHyO7qMEe93X9Jxbvj5+OFJplA76nYZM=; b=EjVJ4B8W30NZoZOPF3R1Kt2YLHuRgTFzxQ+5HDpzRVLUyjwWs1Z7LJx2Gn6koI1Fph BSn/buJPgl5S87CRwkUf9GDo2u1rtX90OGeJZqJUfOQsehrlrP3DceEIhfW0U0i7fltQ U9l0lZJ7t/Ibqa9JjZO5xqWLLKbpCP7xmQl9jbEb/YjP84bt1n1Ws4DqvDgv1XUwGoPv LvsunQuZN7N0YIKArWcp2Uo143IuSp+H4KZyO7T4fCfAukUJz4qgIQh8GvfAjsiuqdCq f96S/m+bbdGaieHX0m6Ymj892riau7qMRGn40NQjyWpx+QeHe2hvYGV7I7NCzKhJXo+I k+Fw==
X-Gm-Message-State: ALoCoQlw/FKGNxwCc88/w8cf/RiZ6m2djIywKqG0dzOkpdgda/mnVZn95CGq50dp3XHoUz7wez+c
X-Received: by 10.68.137.229 with SMTP id ql5mr1795159pbb.134.1424291304105; Wed, 18 Feb 2015 12:28:24 -0800 (PST)
Received: from [100.110.161.212] ([104.135.1.212]) by mx.google.com with ESMTPSA id di10sm21767621pad.41.2015.02.18.12.28.22 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Feb 2015 12:28:22 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-35FA6C8A-9802-426A-8F38-2B78D9A96686
Mime-Version: 1.0 (1.0)
From: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: iPhone Mail (12B466)
In-Reply-To: <06989626-BCCD-443B-AD5F-98436D681DB2@lodderstedt.net>
Date: Wed, 18 Feb 2015 12:28:21 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <0406F230-9B00-4B18-9AD9-03DAD41C2B1C@ve7jtb.com>
References: <54C7BBA4.4030702@gmx.net> <CA+k3eCQCPiAR0s1cX5mC=h2O-5ptVTVq6=cVKHFKu_Adq8bJTg@mail.gmail.com> <2E3D2EE7-8F5F-452D-880A-D62A513AC853@lodderstedt.net> <54E370F9.8060209@gmx.net> <17faabb6e724fb54f3cb8060a3d9cb08@lodderstedt.net> <54E4B0AD.10801@gmx.net> <CA+k3eCThg3TxRtCuEwGGWG07yWZD82i87fUQjDrKs3sMmd5frg@mail.gmail.com> <54E4CCDD.6010709@gmx.net> <06989626-BCCD-443B-AD5F-98436D681DB2@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/k_e6u5DHtFKRVIl0SaqfjMZARD8>
Cc: oauth <oauth@ietf.org>, "naa@google.com >> Naveen Agarwal" <naa@google.com>
Subject: Re: [OAUTH-WG] Shepherd Writeup for draft-ietf-oauth-spop-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 20:28:28 -0000

It was Google that wanted S256 to be mandatory for the AS to support.  That makes it easier for the client. 

S256 is relatively new so not being supported yet is not surprising. 

Sent from my iPhone

> On Feb 18, 2015, at 12:15 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> We don't plan to support s256 
> 
> Basically, I don't see a need to. Plain already mitigates the threat, spop/tcse had been designed to mitigate - an app intercepting the code response of a public client.
> 
> Am 18. Februar 2015 18:33:17 MEZ, schrieb Hannes Tschofenig <hannes.tschofenig@gmx.net>et>:
>> 
>> Thanks Brian for pointing me to Section 4.4.1 and to the MTI for "S256".
>> While this is good from a security point of view I am wondering whether
>> anyone is actually compliant to the specification. Neither PingIdentity
>> nor DT implements the S256 transform, if I understood that correctly.
>> Are you guys going planning to update your implementations?
>> 
>> Ciao
>> Hannes
>> 
>>> On 02/18/2015 05:45 PM, Brian Campbell wrote:
>>>  There's a bit of MTI talk tucked into
>>>  https://tools.ietf.org/html/draft-ietf-oauth-spop-10#section-4.4.1 that
>>>  perhaps needs to be expanded and/or placed somewhere else.
>>>  
>>>  On Wed, Feb 18, 2015 at 8:33 AM, Hannes Tschofenig
>>>  <hannes.tschofenig@gmx.net
>>> <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>  
>>>      Thanks for the info, Torsten.
>>>  
>>>      Your feedback raises an interesting question, namely what functionality
>>>      the parties have to implement to claim conformance to the specification.
>>>  
>>>      Quickly scanning through the specification didn't tell me whether it is
>>>      OK to just implement the plain mode or whether both modes are
>>>      mandatory-to-implement. We have to say something about this.
>>>  
>>>      Ciao
>>>      Hannes
>>>  
>>>  
>>>      On 02/18/2015 02:16 PM, torsten@lodderstedt.net
>>>      <mailto:torsten@lodderstedt.net> wrote:
>>>>  Hi Hannes,
>>>> 
>>>>  our implementation supports the "plain" mode only. We just verified
>>>>  compliance of our implementation with the current spec. As the only
>>>>  deviation, we do not enforce the
>>>> minimum length of 43 characters
>>>      of the
>>>>  code verifier.
>>>> 
>>>>  kind regards,
>>>>  Torsten.
>>>> 
>>>>  Am 17.02.2015 17:48, schrieb Hannes Tschofenig:
>>>>>  Hi Torsten,
>>>>> 
>>>>>  does this mean that your implementation is not compliant with the
>>>>>  current version anymore or that you haven't had time to verify
>>>      whether
>>>>>  there are differences to the earlier version?
>>>>> 
>>>>>  Ciao
>>>>>  Hannes
>>>>> 
>>>>> 
>>>>>  On 01/31/2015 05:34 PM, Torsten
>>>>> Lodderstedt wrote:
>>>>>>  Deutsche Telekom also implemented an early version of the draft last
>>>>>>  year.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>  Am 30.01.2015 um 18:50 schrieb Brian Campbell
>>>>>>  <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>
>>>      <mailto:bcampbell@pingidentity.com
>>>      <mailto:bcampbell@pingidentity.com>>>:
>>>>>> 
>>>>>>> 
>>>>>>>  On Tue, Jan 27, 2015 at 9:24 AM, Hannes Tschofenig
>>>>>>>  <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
>>>      <mailto:hannes.tschofenig@gmx.net
>>>      <mailto:hannes.tschofenig@gmx.net>>> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>>      1) What implementations of the spec are you aware of?
>>>>>>> 
>>>>>>> 
>>>>>>>  We have an AS side implementation of an earlier draft that was
>>>>>>>  released in June of last year:
>>>      http://documentation.pingidentity.com/pages/viewpage.action?pageId=26706844
>>>>>>> 
>>>>>>> 
>>>>>>>  OAuth mailing list
>>>>>>>  OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>>      <mailto:OAuth@ietf.org>>
>>>>>>>  https://www.ietf.org/mailman/listinfo/oauth
> 
> -- 
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth