Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 09 March 2015 05:24 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E32A1A3BA5 for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:24:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gTcOA14w1_L8 for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:24:45 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222F61A1B2C for <oauth@ietf.org>; Sun, 8 Mar 2015 22:24:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17214; q=dns/txt; s=iport; t=1425878685; x=1427088285; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=+fLzJxYQrMvcFQ7L/gzypNQ2Opp380e7vROUCIMoskc=; b=msNCnpnClFLEhl2NnhZ5Yr8MiZs2KuzcAwyFz11fX4Gx7BrHQtNFa3ME eanM292HriCbT9Kf2++aFVNFBnsXj15Yw4pmkGTy0dEy1I7JHKT8qMlCe zjFlV0svBnwXj5QXECZUq579S72GM2zRZqgbKveqCd/+bJFntA7GjLLJg A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D6EABRLf1U/4gNJK1agkNDUloEgwavRI1DPIFwAQuFbgIcgQlNAQEBAQEBfIQPAQEBBAEBASAKQRcEAgEIDgMBAgEBAQsdAwICAiULEwEDBggCBAESCIgTAxENqCmbHgEBAQEBAQEBAQEBAQEBAQEBAQEBAReLF4JEgXkWCg0KAQaCYi+BFgWBTIMkCosVg2SELYJcOYJviR+GEyODbm8BAYFCfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,365,1422921600"; d="scan'208,217";a="401919170"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-5.cisco.com with ESMTP; 09 Mar 2015 05:24:44 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t295OiKo026633 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Mar 2015 05:24:44 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0195.001; Mon, 9 Mar 2015 00:24:43 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Bill Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
Thread-Index: AQHQWD/GweO4O9/c5k2+8afKUY3J9Z0TcdhggAB8WAD//7OEQA==
Date: Mon, 9 Mar 2015 05:24:42 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A366B14BD@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A366B1364@xmb-rcd-x10.cisco.com> <1820766683.1180885.1425877002127.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1820766683.1180885.1425877002127.JavaMail.yahoo@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.41.238]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A366B14BDxmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/p9kWMnEblb2Hfi30ALkW5lcNqp4>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 05:24:47 -0000

Hi Bill,

Can you please provide more details why mandating specific key distribution mechanism is not appropriate especially in case of loosely coupled systems ?

-Tiru

From: Bill Mills [mailto:wmills_92105@yahoo.com]
Sent: Monday, March 09, 2015 10:27 AM
To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

I do not believe making any specific key distribution MTI is aproprpiate.

On Sunday, March 8, 2015 8:06 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:

Hi Hannes,

http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3 discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism.

In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1 we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled).

Thoughts on which one should be mandatory to implement ?
(This question came up in ISEG review and probably would be a question for proof-of-possession work as well)

Thanks and Regards,
-Tiru

> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofenig
> Sent: Saturday, March 07, 2015 12:30 AM
> To: oauth@ietf.org<mailto:oauth@ietf.org>
> Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
>
> Hi all,
>
> does anyone have free cycles to review
> draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way
> that is similar to the proof-of-possession work with a new access token format.
>
> Ciao
> Hannes
>
> -------- Forwarded Message --------
> Subject: [saag] tram draft - anyone willing to help out?
> Date: Fri, 06 Mar 2015 15:43:57 +0000
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
> To: saag@ietf.org<mailto:saag@ietf.org> <saag@ietf.org<mailto:saag@ietf.org>>
>
>
> Hiya,
>
> There's a draft in IESG eval that attracted a bunch of perhaps fundamental
> discusses and comments [1] about its security properties. I think this may be one
> where the authors could do with a bit more help from the security
> mafia^H^H^H^H^Hcommunity.
> (I looked at their wg list and only see a v. thin smattering of names I'd recognise
> from this list.) So if you're willing and have a little time, please let me know
> and/or get in touch with the authors.
>
> And btw - this might not seem so important but I'd worry it may end up being a
> major source of system level vulnerabilities for WebRTC deployments if we get it
> wrong and many sites don't deploy usefully good security for this bit of the
> WebRTC story.
>
> Thanks in advance,
> S.
>
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/
>
> _______________________________________________
> saag mailing list
> saag@ietf.org<mailto:saag@ietf.org>
> https://www.ietf.org/mailman/listinfo/saag
>
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth