Re: [OAUTH-WG] "shared symmetric secret"
Blaine Cook <romeda@gmail.com> Tue, 13 July 2010 19:10 UTC
Return-Path: <romeda@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82E0A3A6B33 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V+fSTel+NheV for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 12:10:05 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id 29FFE3A6AA1 for <oauth@ietf.org>; Tue, 13 Jul 2010 12:10:05 -0700 (PDT)
Received: by pwj1 with SMTP id 1so2882682pwj.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 12:10:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=z7AiEYkOrFW667nDaCaHwQI/qol0yaOnJYEY/wyoDso=; b=qfwoPu9P9eXMPqL0JpyJ77/O7jjPPJ5P+LRAYeIVYApODSEuR5W7/E+kVNwVK3QSia VwtGxXR687uKnjxo3ooaLmcPgt44xN40+t0kyUv6JZVuzgA4K1dlKZx6WaZQY5dOl4a+ awVUtsj8OqJYXlpaWw1WWZfuXbdjuzF1Z84NY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=anernKx37oF/+VjYNaAMpxIVTY5uwt/ayJe2tsScQZ4o0/0vJ0jCDsTKlMbver+RIK zGSQKiuQbtDbYyC3aFTqTlDY+rd9IGhjLC76Kaqw7eG6FbHLYYA6Epaje/CUJI9Fn3YS I+BWVLUoNUG/z83M0lQkg22oMcOER/bhZNSVY=
Received: by 10.142.210.2 with SMTP id i2mr6157139wfg.24.1279047809379; Tue, 13 Jul 2010 12:03:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.8.6 with HTTP; Tue, 13 Jul 2010 12:03:08 -0700 (PDT)
In-Reply-To: <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG>
References: <97BD2762-F147-4774-9557-AD478338B348@jkemp.net> <C861F32E.371BA%eran@hueniverse.com> <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG>
From: Blaine Cook <romeda@gmail.com>
Date: Tue, 13 Jul 2010 20:03:08 +0100
Message-ID: <AANLkTimKH9OL3zq91lTCK8_EuCefcifPfqslb24zytv7@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 19:10:07 -0000
+1 on "like a password", or something similar-and-meaningful because that's exactly how it's being used here. Pre-shared key, shared secret, etc, would be fine. Keep in mind that authentication *will be done* using the bearer token, and the bearer token alone. An OAuth token is unlike capabilities in that capabilities tend to be bound to addressable data – in most OAuth deployments, the data addressing is separate from the token. b. On 13 July 2010 19:46, Richer, Justin P. <jricher@mitre.org> wrote: >>> I would be very unhappy if we equated access tokens with passwords. >>> >>> I agree with Dirk that "capability" is a more expressive phrase than either >>> "shared secret" or "password". > >> Expressive to you and people well-versed in security theory. It means >> nothing to a casual reader. The token definition includes the term, but in >> this section, it is referring to how an access token is used, and it is used >> just like a password. > > Definitely agree with Eran here. The term "capability" doesn't mean much to me in this circumstance, but "like a password" tells me exactly what I, as an implementer, can expect. > > -- Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Dirk Balfanz
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Richer, Justin P.
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Blaine Cook
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Blaine Cook
- Re: [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Brian Eaton
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" John Kemp
- Re: [OAUTH-WG] "shared symmetric secret" Igor Faynberg
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Evan Gilbert
- Re: [OAUTH-WG] "shared symmetric secret" Eran Hammer-Lahav
- Re: [OAUTH-WG] "shared symmetric secret" Evan Gilbert