[OAUTH-WG] Another OAuth "alternative"
Justin Richer <jricher@MIT.EDU> Thu, 05 May 2016 19:20 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1FB12D161 for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 12:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BGataPHOg-c for <oauth@ietfa.amsl.com>; Thu, 5 May 2016 12:20:37 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF0ED12D5B2 for <oauth@ietf.org>; Thu, 5 May 2016 12:20:36 -0700 (PDT)
X-AuditID: 1209190c-11bff7000000490a-cb-572b9d03581a
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 32.21.18698.30D9B275; Thu, 5 May 2016 15:20:35 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u45JKY4f004144 for <oauth@ietf.org>; Thu, 5 May 2016 15:20:35 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u45JKW4q026940 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Thu, 5 May 2016 15:20:34 -0400
From: Justin Richer <jricher@MIT.EDU>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8231CA4D-A941-47EE-AB5A-FDB19FBD4BE8"
Message-Id: <8DCFF30A-EB35-4E4F-A32F-F3D5E3271D9B@mit.edu>
Date: Thu, 05 May 2016 15:20:32 -0400
To: "<oauth@ietf.org>" <oauth@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUixCmqrMs8Vzvc4OUzbouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr49qrqSwFL0QrOjYtZ2lgfC3UxcjJISFgIvF832vGLkYuDiGB NiaJhasmsIIkhASOMkpMfR8FkfjKJPHtazMjSIJNQFVi/spbTCA2s0CCxONpd8DiwgIqEo0T toE18wpYScy4v4O9i5GDgwUovnx7EUhYREBdYs35n0wQJXoSm9a/ZYI4QlbiyclFLBMYeWYh mToLSRlEXFti2cLXzBC2psT+7uUsmOIaEp3fJrIuYGRbxSibklulm5uYmVOcmqxbnJyYl5da pGuol5tZopeaUrqJERx6kjw7GM+88TrEKMDBqMTDmzFXK1yINbGsuDL3EKMkB5OSKO92Je1w Ib6k/JTKjMTijPii0pzU4kOMEhzMSiK8z2YB5XhTEiurUovyYVLSHCxK4ryF+0+HCQmkJ5ak ZqemFqQWwWRlODiUJHjXzwZqFCxKTU+tSMvMKUFIM3FwggznARquMAdkeHFBYm5xZjpE/hSj opQ47z+QZgGQREZpHlwvKDUkvD1s+opRHOgVYd4KkHYeYFqB634FNJgJaPD7uZogg0sSEVJS DYwLF7wW/1Zus/GN8YZ282ncVqmb17RrRn74fWvNlBszHjL+70l8UWj3+vGB/ntu+2+sn3WN x/AJy+qak9VfMxN7lx/eONvxvErQsyVXrV8zbmDMaZm4z4CpZ/2LKx43biXaqfhmf+DQN4rW zzGfG5Xpuf2dzgbhT7JT5y/2NlnE0yMRYF7F2JanxFKckWioxVxUnAgAGq4+eegCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/oUKk1yucD4XDZTXlFks0p1Oh4RU>
Subject: [OAUTH-WG] Another OAuth "alternative"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 19:20:43 -0000
This just passed across my desk, something called TAuth: https://blog.teller.io/2016/04/26/tauth.html <https://blog.teller.io/2016/04/26/tauth.html> Basically, the story is “OAuth is hard, so we made our own thing”. Unfortunately, the new thing requires mutual TLS, non-expiring tokens, and a proprietary (as best as I can tell) signature stack. So from my view, it’s already dead in the water a few different and complex ways, but I’m sure some marketing folks will be pushing it around as the alternative to OAuth. The article above is full of half-truth, like the true statement “self-contained encrypted tokens can’t be revoked” which leads to “so you shouldn’t use OAuth if you want fast revocation”. But if nothing else, things like this should encourage us to finish and publish PoP. — Justin
- [OAUTH-WG] Another OAuth "alternative" Justin Richer