IETF Logo Mail Archive

Re: [OAUTH-WG] December 27, 2012 OAuth Release

William Mills <wmills_92105@yahoo.com> Fri, 04 January 2013 22:48 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B0D21F883F for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 14:48:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=1.299, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRW-D2r44UiG for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 14:48:23 -0800 (PST)
Received: from nm27-vm0.bullet.mail.bf1.yahoo.com (nm27-vm0.bullet.mail.bf1.yahoo.com [98.139.213.139]) by ietfa.amsl.com (Postfix) with ESMTP id 05DBC21F8815 for <oauth@ietf.org>; Fri, 4 Jan 2013 14:48:22 -0800 (PST)
Received: from [98.139.212.148] by nm27.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 22:48:22 -0000
Received: from [98.139.212.214] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 22:48:21 -0000
Received: from [127.0.0.1] by omp1023.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 22:48:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 987596.88883.bm@omp1023.mail.bf1.yahoo.com
Received: (qmail 38945 invoked by uid 60001); 4 Jan 2013 22:48:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1357339701; bh=DJUZhqBqw1/1lz2Fc2gQeHwHtYgbesvTKBLIR0zv3r8=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=xEqT0Hdomdh9wA4yZZSrl+8lv9RUJUZC1RUZsUgOVnjfl/RLSL7RRMylzKyo6MTMnrksctjPHM9PJ6azyDkDldAHbFiRoGmD7TGxMD+h0HUBV65sdUndeSssDqBkPiiPMmMQq6BxI0Fui6jizi7Z7+0YO0qwGQFcKzDlD6yJPxg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=amSZhMWh0/B27w2nkcvjWAMAvynmM2TpfrrXjy/AH6qKrp0TjJVsbWy6SXzZ/ij7ekV0kaI8nsRy/P8CcFkoAwv8k9epKPVjeluaV09dqFHV81q17XnvxspD3JtBNTpJ8QA7GWSpHhbg7WSdPVFoWYG3IoYAEU/447x0R/huZhw=;
X-YMail-OSG: 2PrGFrkVM1mlvf6NkxQNMqFdL2n.SXw_mHzUfydMRIOyK7y 1z0GBCIUSO2xpLqjAuAUG2OZwfOpSY7_Tu82OvEjf4W5oBViRcdPx5vX8ixn lz6ZNXBeg2K.SxgFgFhQnuDot.K.ANOLEmyYR_3Mycm0vFxg._6X.YwPDw3B hhOkx73qnEbu.N8LneWO1NJVGgpFjaOiaDlD6DegqSd37UW38WVPBrGTKb2g vRUaydYM.dLhKl1xIpqmF9Or_ScbAYXVb.t.kG8TILpvLpZy3nF4aOJM2zm9 w2MN4Nd.qev2pkM1l5V0h099heQFdemTZHG_cpQP05NyS0Biq28hbmTjN.D5 StLs2yYDkwyRXaOpIFG7U01UpHcXVnYjr461iTeqKZ0OI91kyVuqsBfxMXZK 3geKjF4fzmxtlCIND6mnlThDH2Cfg4SdWxvNjFyfTUZM8zy4VAZUjrIDF3Fp T0r42pa8CkmrLinBxBumAaZfH0lGXavSO7a15dHhV4h81XlwMdDjjlAZps07 tP_CO6cCKR7fs0OaUF5eEsZOhL1y_lm.s4XKQWJFzpX6TsTIUhnlmqyWzOtV 0KrO9pcRkMLJpwJuwXAjVxJFc2EbXLa7aE1tW9mYSYjYfqrjCcL9DpixQnMk 4tVj.bBFH_zGZegjnTs9vxIL1UBYUox3tO0mx
Received: from [209.131.62.113] by web31816.mail.mud.yahoo.com via HTTP; Fri, 04 Jan 2013 14:48:20 PST
X-Rocket-MIMEInfo: 001.001, SXQncyB0aGUgY29yZSBwcm9ibGVtIEkgc2VlIE1BQyBzb2x2aW5nLiDCoEknZCBiZSBoYXBweSBlbm91Z2ggdG8gZGVmaW5lIGEgSldUIHZhcmlhbnQgdGhhdCBkb2VzIHRoaXMgaWYgdGhhdCdzIGVhc2llciB0aGFuIE1BQy4gwqBXaGF0IGRvIHlvdSB0aGluaz8KCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwogRnJvbTogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPgpUbzogV2lsbGlhbSBNaWxscyA8d21pbGxzXzkyMTA1QHlhaG9vLmNvbT47ICJvYXV0aEBpZXRmLm8BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.130.494
References: <4E1F6AAD24975D4BA5B1680429673943669B0A1E@TK5EX14MBXC283.redmond.corp.microsoft.com> <1356746794.51868.YahooMailNeo@web31807.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B1680429673943669FE2AD@TK5EX14MBXC283.redmond.corp.microsoft.com>
Message-ID: <1357339700.37914.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Fri, 04 Jan 2013 14:48:20 -0800
From: William Mills <wmills_92105@yahoo.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943669FE2AD@TK5EX14MBXC283.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1238014912-1086497344-1357339700=:37914"
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2013 22:48:24 -0000

It's the core problem I see MAC solving.  I'd be happy enough to define a JWT variant that does this if that's easier than MAC.  What do you think?


________________________________
 From: Mike Jones <Michael.Jones@microsoft.com>
To: William Mills <wmills_92105@yahoo.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Friday, January 4, 2013 2:35 PM
Subject: RE: [OAUTH-WG] December 27, 2012 OAuth Release
 

 
There’s no generic OAuth way to do this.  There is a way to do it in OpenID Connect – see request_object_signing_alg, userinfo_signed_response_alg, and id_token_signed_response_algin
http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and  userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported, and request_object_signing_alg_values_supportedin
http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.
 
                                                            -- Mike
 
From:William Mills [mailto:wmills_92105@yahoo.com] 
Sent: Friday, December 28, 2012 6:07 PM
To: Mike Jones; oauth@ietf.org
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
 
Mike,
 
I've read through the JWT spec and I'm curious about something.  How do I specify a signature requirement as the server?  I didn't see it but I probably just missed it.  I'm thinking that with very little work a JWT can do everything that MAC does with greater flexibility, *BUT* the server needs to be able to require a signed usage.  Something I never liked about OAuth 1.0 is that the server must support all valid signature types, even PLAINTEXT, so I want to be able to avoid that.
 
It would require the client to be able to include client generated stuff in the JWT.
 
Thanks,
 
-bill

v2.23.0 | Report a Bug | By Email