IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 11 September 2014 21:38 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F81F1A0295 for <oauth@ietfa.amsl.com>; Thu, 11 Sep 2014 14:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.552
X-Spam-Level:
X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ9QQ0mOKS1b for <oauth@ietfa.amsl.com>; Thu, 11 Sep 2014 14:38:37 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD2271A02A2 for <oauth@ietf.org>; Thu, 11 Sep 2014 14:38:36 -0700 (PDT)
Received: from [192.168.10.163] ([167.220.25.81]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LanoO-1YCZW53V16-00kRaT; Thu, 11 Sep 2014 23:38:34 +0200
Message-ID: <54121656.7090901@gmx.net>
Date: Thu, 11 Sep 2014 23:38:30 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Rex Albert <rexandalbert@gmail.com>, oauth@ietf.org
References: <CAO2Ho1RiziEar9NCb3FfdY+C7SJQ7Z5FBP6qOS3tkovOJoRQVw@mail.gmail.com> <CAO2Ho1RjBw_+5oGvRm53FrRKJU5jr2G5EzdqeWYdMXUZKuP1TQ@mail.gmail.com> <54101EB7.1000502@gmail.com> <541074C3.3030400@gmx.net> <CAO2Ho1Sq8ekK2MhvDcHRYYhbnJ33fYmy34x3ooieibLNWBcd1A@mail.gmail.com>
In-Reply-To: <CAO2Ho1Sq8ekK2MhvDcHRYYhbnJ33fYmy34x3ooieibLNWBcd1A@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="R5sAWBn55AL4Sk810GjgAqwwBAGmGVkpu"
X-Provags-ID: V03:K0:YRLWWYU8N8EXsi0wdvVdY+5ghmvEbTUsYOLvdTAZOQVNq5hgOw5 6yvlo2Gm4VGtrnE+0iNx4h12WoxJ8yGnNQDIXoi20sd4DoKG69Ht6YRXOYRTj6FESjVbcqb dY4cq+PRpaEEaJDvwXh/XVrym0W/Hdd/g299WLAV53REmGQYeGxCkf+YINA/Is5RYdgIp+N m/W4LTb+Y19Gmbiwmkmmw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ly6jWn78QJ1Jvmd22sloikyLdXU
Subject: Re: [OAUTH-WG] Fwd: Is OAUTHV2-HTTP_MAC dead?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 21:38:38 -0000

Hi Rex,

On 09/11/2014 10:15 AM, Rex Albert wrote:
> Hi Hannes,
> thank you very much for the response and it is very useful to have such
> detailed information. thank you again for that. 
> I am now reading about PoP and it is very interesting and also seeing
> HTTP signature as well. 

Thanks for looking at the document. Please provide comments, if you run
into questions or bugs.


> Our requirement in short - to achieve seamless authentication and
> authorization among HTTP - REST based web services within a protected
> network with a secure channel for communication, without human
> intervention and without compromise on the time taken to process each
> request. 

I think we are getting there.

> Kindly let me know if you need further details . 

Particuarly for the HTTP signature approach we need input since it is
still not close to getting finalized.


It would also be great if you also have some possibility to provide
implementation feedback.

> thanks again
> -rex
> 
Ciao
Hannes

> On Wed, Sep 10, 2014 at 9:26 PM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     Hi Rex,
> 
>     the document <draft-ietf-oauth-v2-http-mac-05> has been superseded by
>     the PoP work (which was subsequently split into various other
>     documents).
> 
>     That, however, does not mean that the content is dead. The mechanism for
>     the authorization server to convey the symmetric key to the client is
>     now documented in <draft-ietf-oauth-pop-key-distribution>. The high
>     level description / overview is now documented in
>     <draft-ietf-oauth-pop-architecture>. The actual mechanism for the client
>     to apply the key to the request to the resource server is now documented
>     in <draft-ietf-oauth-signed-http-request>.
> 
>     While < draft-ietf-oauth-signed-http-request> today is different to the
>     mechanism described in <draft-ietf-oauth-v2-http-mac-05> it also has to
>     be said that it is the weakest document in the entire document set at
>     the moment.
> 
>     So, there is still a chance to incorporate your design requirements into
>     the appropriate parts of the work since the work is still in progress.
> 
>     It would be good to know what your requirements/interests are.
> 
>     Ciao
>     Hannes
> 
> 
>     On 09/10/2014 11:49 AM, Sergey Beryozkin wrote:
>     > Hi
>     > On 10/09/14 09:57, Rex Albert wrote:
>     >>
>     >>
>     >> Hi,
>     >> We are looking at implementing OAUTHV2-HTTP-MAC whose draft is in an
>     >> expired
>     >>
>     state.(http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05)  Is
>     >> it dead or is it going to be a standard anytime? or are we going to
>     >> implement at our own risk? or is there a better standard/draft (
>     alive )
>     >> which might supersede this draft ?
>     >
>     > It's not going to be revived. Does not mean though one can not use the
>     > idea for implementing custom OAuth2 token schemes, IMHO it was a very
>     > simple and effective 'PoP' approach, and it is easy to document and
>     > support. FYI, we support a Hawk scheme (not part of OAuth2 work at
>     all,
>     > kind of 'draft-ietf-oauth-v2-http-mac-06') as an access token
>     scheme in
>     > our project.
>     >
>     > As far as I understand new proof-of-possession documents the group is
>     > working upon will offer the alternative standard solutions.
>     >
>     > Cheers, Sergey
>     >
>     >>
>     >> thank you for your time.
>     >> I am a newbie to the IETF draft process and kindly excuse my naivety.
>     >> -rex
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> OAuth mailing list
>     >> OAuth@ietf.org <mailto:OAuth@ietf.org>
>     >> https://www.ietf.org/mailman/listinfo/oauth
>     >>
>     >
>     > _______________________________________________
>     > OAuth mailing list
>     > OAuth@ietf.org <mailto:OAuth@ietf.org>
>     > https://www.ietf.org/mailman/listinfo/oauth
> 
>

v2.23.0 | Report a Bug | By Email