IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

John Kemp <john@jkemp.net> Tue, 13 July 2010 19:07 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 96F003A68A7 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUM+0vfl9YAy for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:07:00 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 839123A6826 for <oauth@ietf.org>; Tue, 13 Jul 2010 12:07:00 -0700 (PDT)
Received: (qmail 2443 invoked by uid 0); 13 Jul 2010 19:07:06 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy2.bluehost.com with SMTP; 13 Jul 2010 19:07:06 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=Tb5vfmjhD+Qd0WY1J0RnXq7UZ+0pMkWNuXMD7aZuvTBrLamdcgnB2t6n/LlYsLgL3CwCk8H+BOtaNzrscN5eKzLrFyRHRmJjFyoK8aX3ZmHk9KAHB+JCmI+p5h7+lj3W;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.112]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1OYkos-00032a-Jj; Tue, 13 Jul 2010 13:07:06 -0600
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG>
Date: Tue, 13 Jul 2010 15:07:01 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <361957FA-3B07-46CB-841B-510249F81788@jkemp.net>
References: <97BD2762-F147-4774-9557-AD478338B348@jkemp.net>, <C861F32E.371BA%eran@hueniverse.com> <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG>
To: "Richer, Justin P." <jricher@mitre.org>
X-Mailer: Apple Mail (2.1081)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 19:07:01 -0000

On Jul 13, 2010, at 2:46 PM, Richer, Justin P. wrote:

>>> I would be very unhappy if we equated access tokens with passwords.
>>> 
>>> I agree with Dirk that "capability" is a more expressive phrase than either
>>> "shared secret" or "password".
> 
>> Expressive to you and people well-versed in security theory. It means
>> nothing to a casual reader. The token definition includes the term, but in
>> this section, it is referring to how an access token is used, and it is used
>> just like a password.
> 
> Definitely agree with Eran here. The term "capability" doesn't mean much to me in this circumstance, but "like a password" tells me exactly what I, as an implementer, can expect. 

Perhaps so, but it doesn't correctly describe how the token should be used, or deal with the difference between authentication and authorization. It also doesn't reflect the language used elsewhere in the specification. 

Regards,

- johnk

> 
> -- Justin

v2.37.1 | Report a Bug | By Email | System Status