Re: [OAUTH-WG] draft-richer-oauth-instance-00
Justin Richer <jricher@mitre.org> Thu, 20 December 2012 18:20 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9123621F88DD for <oauth@ietfa.amsl.com>; Thu, 20 Dec 2012 10:20:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.461
X-Spam-Level:
X-Spam-Status: No, score=-6.461 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9Q0Oxma+sGU for <oauth@ietfa.amsl.com>; Thu, 20 Dec 2012 10:20:22 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A09D121F88DC for <oauth@ietf.org>; Thu, 20 Dec 2012 10:20:22 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0E8CD43501FD; Thu, 20 Dec 2012 13:20:22 -0500 (EST)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id ED62B1F0AB5; Thu, 20 Dec 2012 13:20:21 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 20 Dec 2012 13:20:21 -0500
Message-ID: <50D35671.5020906@mitre.org>
Date: Thu, 20 Dec 2012 13:18:25 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Nat Sakimura <sakimura@gmail.com>
References: <CABzCy2C38TT47hBBg53n0emnZPo_-seyeYfkg8hUH0ag7FVbkA@mail.gmail.com>
In-Reply-To: <CABzCy2C38TT47hBBg53n0emnZPo_-seyeYfkg8hUH0ag7FVbkA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060204060501050703070802"
X-Originating-IP: [129.83.31.58]
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-richer-oauth-instance-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 18:20:23 -0000
I would be fine with a machine-readable "instance_id" parameter to be paired with the human-readable items that are in there today. However, since this is a value that goes to the Authorization Endpoint and therefore goes through the browser, it MUST always be treated as self-asserted by the client. As such, I don't see how it can be used as a security-related parameter. The client_id and redirect_uri can be used in this regard because they are registered and paired with other security mechanisms like a client_secret or equivalent. The instance_ parameters are, by their very definition, not provided at registration time. That's not to say it's without utility - browser identifier strings are generally useful to servers and JS apps even though as an end user you can send basically whatever you want there. -- Justin On 12/18/2012 09:47 PM, Nat Sakimura wrote: > Justin, > > In addition to instance_name and instance_description, I think we need > collision resistant instance_id which can be cryptographically linked > to the instance so that it can actually be authenticated, in a similar > manner to what we do with the self-issued IdP in the OpenID Connect. > > My proposal is to create a public-private key pair at the install time > and use the sha256 of the public key as the instance_id. > > Note: If the client is going to talk to multiple entities, the > instance_id would have some privacy impact. > We may need to generate the keypair for each entity that the client > talks to. > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en >
- [OAUTH-WG] draft-richer-oauth-instance-00 Nat Sakimura
- Re: [OAUTH-WG] draft-richer-oauth-instance-00 Justin Richer
- Re: [OAUTH-WG] draft-richer-oauth-instance-00 Nat Sakimura