Re: [OAUTH-WG] OAuth 1.0a
William Mills <wmills_92105@yahoo.com> Wed, 15 August 2012 06:37 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F34921F85C7 for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[AWL=-0.267, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEa6C39ANDHj for <oauth@ietfa.amsl.com>; Tue, 14 Aug 2012 23:37:30 -0700 (PDT)
Received: from nm33-vm6.bullet.mail.ne1.yahoo.com (nm33-vm6.bullet.mail.ne1.yahoo.com [98.138.229.70]) by ietfa.amsl.com (Postfix) with SMTP id 1062721F85BB for <oauth@ietf.org>; Tue, 14 Aug 2012 23:37:29 -0700 (PDT)
Received: from [98.138.90.54] by nm33.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:37:29 -0000
Received: from [98.138.87.5] by tm7.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:37:29 -0000
Received: from [127.0.0.1] by omp1005.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 06:37:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 531774.92437.bm@omp1005.mail.ne1.yahoo.com
Received: (qmail 60991 invoked by uid 60001); 15 Aug 2012 06:37:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1345012648; bh=1sOoGRe8QlSzeaMY3F9j++qBQIFINumjOg8AcnFhf8g=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=WOqIfkMrldcj+ycK07NCWJPso6NqtoLm55ry8B3QKbz6pOr+e1sg4TJg1BGEBFjjGM2lFuoXR55cTW0D7FPy5NTFKnVvGdNqnzJM/H6+DGMYJ2NNNSoB7yiOd8j8SO5pevdq58ZOceMau99uZG9vi+yQHC8n1y00tl92Ej/YFFg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Kc7WuY/PfGc8G+i+arOE76ZXZobGHzLNXmQ5BiRePZJnV/HoQ1iK3FfMjPf2o4m331bP7lHkm8mzUU44YAtqmmGilK5wIhqkdjbVyo/+RfDBCL1q1EAIMSUHrLtIhDADU1TejBLn4hn2GcpVxbhAK9K3w31ON/xJCPCVk3W7ywI=;
X-YMail-OSG: 2F8XuEQVM1ni_39KZ4P2jWl6xYm1r1CQw8N0LeaJNd3x_aZ IWAT.Ae1MjSX7IUS5uIeSHrQi2UCn8qjF9g_dHosZ4zgJ5GA73yD6BNPKzsC 0F2ZfkOe0HI4brTqHD3L70qnjNFI1A9usNaybNpoUtE6BLdUHGV2fg3tmVH_ qDSIv0eZe5ILxL3G8n6PmSUR5Zw3DQHc1KZtnZXyScXMwbMnORcCTMNaCpOV TUFBCjC2JjANSurxRXWyVfOh74J5JbGoih5tXbsm6DrzUl9NOxmn80WPlDmz Gy2wvQHFehILS8wpfQvlJ9mJUgZqq1oE5HnbKjGCQZiVo6daicsJCUpO_Y56 _2pIV9L1Tve.2QRAcNJVa2k.SOEvEW.tj8d1W.pYYWqiQJGqtxtf_W4pChO1 Ls3L2pSl4F11TJCKSFgvrxeQ6K1qozYkXm7cKHpAkz6_j8yBC9KitrL_VHce PKAFhuZS89fiUtvpWR5JXwfOmMXvQS2wIT7YHUhasEyq6AUqKog8i0oapMyZ m
Received: from [209.131.62.115] by web31812.mail.mud.yahoo.com via HTTP; Tue, 14 Aug 2012 23:37:28 PDT
X-Mailer: YahooMailWebService/0.8.121.416
References: <1345011361.54744.YahooMailNeo@web31816.mail.mud.yahoo.com> <CC511D16.8973%hannes.tschofenig@nsn.com>
Message-ID: <1345012648.53966.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Tue, 14 Aug 2012 23:37:28 -0700
From: William Mills <wmills_92105@yahoo.com>
To: Hannes Tschofenig <hannes.tschofenig@nsn.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
In-Reply-To: <CC511D16.8973%hannes.tschofenig@nsn.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-120121525-1345012648=:53966"
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 06:37:31 -0000
Sorry, that other thread is on the Kitten list. Cross post it here? Certainly MAC or HoK could change and become incompatible with the current SASL mechanism spec. Hopefully not fundamentally incompatible, and either a new spec or the updated MAC or HoK spec can update the SASL mechanism to provide comatibility. -bill ________________________________ From: Hannes Tschofenig <hannes.tschofenig@nsn.com> To: William Mills <wmills_92105@yahoo.com>; Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Cc: O Auth WG <oauth@ietf.org> Sent: Tuesday, August 14, 2012 11:32 PM Subject: Re: [OAUTH-WG] OAuth 1.0a Re: [OAUTH-WG] OAuth 1.0a Hi Bill, On 8/15/12 9:16 AM, "ext William Mills" <wmills_92105@yahoo.com> wrote: Fundamentally MAC and any HoK that uses symmetric keys are equivalent. Either can pull in the same profile of HTTP stuff into the signature. > >The issue is: a small change in the protocol specification makes the two mechanisms incompatible. Hence, you have to provide the code for the two and a possible negotiation mechanism along with it. For example, the fact that OAuth 1.0 does not allow for automatic token refresh already makes the OAuth 1.0 MAC and the OAuth 2.0 MAC different. > >I commented on your argument that MAC and Bearer have equivalent security properties in a different thread. > >Sorry. I missed that. Do you have a pointer for me by chance? > > >Ciao >Hannes > >-bill > > > > > >>________________________________ > From:Hannes Tschofenig <hannes.tschofenig@gmx.net> > To: William Mills <wmills_92105@yahoo.com> >Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Torsten Lodderstedt <torsten@lodderstedt.net>; O Auth WG <oauth@ietf.org> > Sent: Tuesday, August 14, 2012 10:49 PM > Subject: Re: [OAUTH-WG] OAuth 1.0a > > >Hi Bill, > >how do you know that the outcome of the security discussions will unlikely be different than MAC? > >The views about TLS had changed in the meanwhile (a few years ago many thought it is too heavy and too expensive to get certificates), and we now have the JSON work as well. On top of that we may also want to provide not just client to server key confirmation with integrity protection of a few fields but more than that. In a nutshell the solution has to provide better security than bearer -- not just be different. > >Ciao >Hannes > >On Aug 14, 2012, at 10:53 PM, William Mills wrote: > >> I want to get the SASL work done. HoK is interesting, but I've become convinced that it's not actually anything that needs it's own spec, you can do HoK with MAC or any other signed scheme by including the needed proof of ownership in the token. HoK, however it works out, is unlikely to vary a lot from the elements that would currently be needed to support MAC or 1.0a and if needed can just extend the SASL mechanism. >> >> -bill >> >> From: Torsten Lodderstedt <torsten@lodderstedt.net> >> To: William Mills <wmills_92105@yahoo.com> >> Cc: Mike Jones <Michael.Jones@microsoft.com>; O Auth WG <oauth@ietf.org> >> Sent: Tuesday, August 14, 2012 12:42 PM >> Subject: Re: [OAUTH-WG] OAuth 1.0a >> >> Hi Bill, >> >> do you need to specify this aspect of your SASL profile now? Why don't you wait for the group to complete the work on signing/HoK? >> >> You could also contribute your use cases to drive the discussion. >> >> best regards, >> Torsten. >> >> Am 14.08.2012 21:37, schrieb William Mills: >>> It's for the OAUTH SASL spec. I've been writing it with the idea that OAuth 1.0a would work (since I think we'll have extant 1.0a typ[e tokens we want to allow for IMAP), but several folks were saying when this all started that 1.0a was dead and I should not refer to it. >>> >>> I want to make sure the SASL mechanism is build to properly handle signed auth schemes and not just bearer (cookie) type. >>> >>> -bill >>> >>> From: Mike Jones <Michael.Jones@microsoft.com> >>> To: William Mills <wmills_92105@yahoo.com>; O Auth WG <oauth@ietf.org> >>> Sent: Tuesday, August 14, 2012 12:28 PM >>> Subject: RE: [OAUTH-WG] OAuth 1.0a >>> >>> What problem are you trying to solve? >>> >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills >>> Sent: Tuesday, August 14, 2012 12:22 PM >>> To: O Auth WG >>> Subject: [OAUTH-WG] OAuth 1.0a >>> >>> What's the general opinion on 1.0a? Am I stepping in something if I refer to it in another draft? I want to reference an auth scheme that uses signing and now MAC is apparently going back to the drawing board, so I'm thinking about using 1.0a. >>> >>> Thanks, >>> >>> -bill >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > > >>________________________________ >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Mike Jones
- Re: [OAUTH-WG] OAuth 1.0a Justin Richer
- Re: [OAUTH-WG] OAuth 1.0a Dick Hardt
- Re: [OAUTH-WG] OAuth 1.0a Ryan Troll
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a William Mills
- Re: [OAUTH-WG] OAuth 1.0a Hannes Tschofenig