IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

Blaine Cook <romeda@gmail.com> Tue, 13 July 2010 20:07 UTC

Return-Path: <romeda@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B96573A69BD for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-89lP5FVsbw for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:07:19 -0700 (PDT)
Received: from mail-px0-f172.google.com (mail-px0-f172.google.com [209.85.212.172]) by core3.amsl.com (Postfix) with ESMTP id 81D3E3A6B5F for <oauth@ietf.org>; Tue, 13 Jul 2010 13:07:05 -0700 (PDT)
Received: by pxi20 with SMTP id 20so2887305pxi.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 13:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=ZERjOU3Ta23++svOd4va9pAlSsHF9uvbYidf+T2kOV4=; b=pt7nmEtPp6y8hbpYrKbt9RaGi06o6wwOS8StJkoObfFTV3zgX/ai2HgfV2EzYmWHpd 5BGYxKtS2fzxcy9JFMl1/ZAd5fWQaceorvdNHDArWlUQ6sgfGwJjKEpT/9gIHN72BkEJ cRvDyJuLio9KR4vwJC8Juem77L8q2HZNuzzps=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=PoHnUcKiU1qJTh6PwsLp+Ansaz2LD85e6zx3w+dtjJag0plFWAPHHNS6vdJ/QnFAHP Q/f36Buad66sxQFAPKEsjZCB7W5Nc0kz0zPuttAKawOIyutqhcd2tyTmZFkhe694MsbZ u5OwT0c0AGpPq8Wd9YrFt/maQ+9NQbd94QNbM=
Received: by 10.142.216.21 with SMTP id o21mr9032887wfg.153.1279051621587; Tue, 13 Jul 2010 13:07:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.8.6 with HTTP; Tue, 13 Jul 2010 13:06:41 -0700 (PDT)
In-Reply-To: <93F20A70-3133-4C5A-BE15-9C85F1D42787@jkemp.net>
References: <97BD2762-F147-4774-9557-AD478338B348@jkemp.net> <C861F32E.371BA%eran@hueniverse.com> <D24C564ACEAD16459EF2526E1D7D605D0C9E7F3576@IMCMBX3.MITRE.ORG> <AANLkTimKH9OL3zq91lTCK8_EuCefcifPfqslb24zytv7@mail.gmail.com> <93F20A70-3133-4C5A-BE15-9C85F1D42787@jkemp.net>
From: Blaine Cook <romeda@gmail.com>
Date: Tue, 13 Jul 2010 21:06:41 +0100
Message-ID: <AANLkTikd1o-pS24OcaREB98ePUdJDcythnO-1WwV_L2c@mail.gmail.com>
To: John Kemp <john@jkemp.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 20:07:21 -0000

On 13 July 2010 20:31, John Kemp <john@jkemp.net> wrote:
> Where is that specified? Is that required for all implementations?

It's not specified - I was referring to your earlier comments:

> In the "bearer token" case (and even over SSL unless client certs are used), the
> token clearly SHOULD NOT be used as a password. Rather, authentication should
> be performed by some other mechanism, unrelated to the token itself (such as an
> HMAC, or via client-certificate SSL/TLS, or even via an actual username/password)

> I would be very unhappy if we equated access tokens with passwords.

The token is never used as the authentication mechanism (i.e., the
mechanism to authenticate the user), except in schemes where it
explicitly makes sense (e.g., UMA as I understand it, Twitter's OAuth
Echo, etc). So there's no concern about that.

What I was trying to say, and I'm just re-iterating Eran's comments
here, is that once issued [in the context of a request made by an
authenticated user that grants authorization to the OAuth client], the
token will be used de-facto as a password, passphrase, shared secret,
or whatever we want to call it. By calling it a "capability", we don't
signal to implementors what the security implications are, and what
they can do to avoid disappointment.

> A capability, basically, is a reference to an object and the permission to use it, bound together. Possession of the capability is enough to authorize the use of the reference. Bearer tokens follow roughly that model. They are about authorization and MAY be used alone for authentication, but may also be used with (specified, or not, in OAuth) other mechanisms for authentication. At least I hope that is the model (not to *require* servers to authenticate using the bearer token alone even if *some* implementations do that)?

It's unclear what you mean is being authenticated by the server – do
you mean the user, or the client, or something else? This question is
persistent and points to exactly the kind of confusion I think Eran is
correct to try to avoid by simply calling the token password-like. If
we use language that clearly indicates to developers that "with the
clear-text token, requests can be made [modulo reduced permissions] as
though they were made by someone in possession of the user's username
and password. Don't leak it, and treat it as though it were a
password", then we avoid having to explain (embarrassingly) that the
"capability" actually meant something like "password".

b.

v2.40.3 | Report a Bug | By Email | System Status