IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 16 February 2011 17:33 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E61C3A6EBD for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.584
X-Spam-Level:
X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5PyBGMzHSAV for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 09:33:11 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 97EDB3A6EB0 for <oauth@ietf.org>; Wed, 16 Feb 2011 09:33:11 -0800 (PST)
Received: (qmail 16645 invoked from network); 16 Feb 2011 17:33:39 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 16 Feb 2011 17:33:39 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 16 Feb 2011 10:33:20 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Richer, Justin P." <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Date: Wed, 16 Feb 2011 10:33:13 -0700
Thread-Topic: [OAUTH-WG] Draft -12 feedback deadline
Thread-Index: Acu+DiRiftKVyAT6QuensmfJaoXx7AAT0zJVA+eoncA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723445A91D3F09@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com>, <D7614CE6-BA5B-4E2E-9ECE-7CBF06DC527C@kiva.org> <D24C564ACEAD16459EF2526E1D7D605D0FFC3C713E@IMCMBX3.MITRE.ORG>
In-Reply-To: <D24C564ACEAD16459EF2526E1D7D605D0FFC3C713E@IMCMBX3.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 17:33:12 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Richer, Justin P.
> Sent: Thursday, January 27, 2011 12:05 PM

> 1.2
> 
> "Tokens may be pure capabilities." To a non-security-engineer such as
> myself, this bit reads very oddly on its own. I understand that "capability" has
> another meaning in the security world, so can we either reference that
> definition or give a small prose example, like "capabilities, such as ...".

I dropped this. This means nothing to most people. I have no objection for this to be added in the security considerations section.
 
> 1.3
> 
> Should these introductions link down to their implementation sections?
> Seems like a useful xref.
> 
> 1.3.2, 4.2

Nah. I want people to read the introduction as a whole, then just use the rest as reference. Jumping between sections is just confusing.

> I'm not sold on calling this "Implicit", though "user agent" and "direct" aren't
> much better.

It's descriptive.

> 2.
> 
> Should we strengthen the first "SHOULD NOT" to a "MUST NOT", since this is
> about assumptions of security made by the AS? This is possibly bikeshedding
> as the AS could always still say "We know that the secret-storage security of
> some clients might be bad but that's OK."

I actually changed it to lowercase since it is not really normative.

> 3.2
> 
> Can we make the token endpoint MUST support POST and MAY support
> GET? I understand the arguments for favoring POST, but they don't always
> apply to all environments. (Brought this up a while ago, seems like it's not a
> breaking change to allow.)

It applies to the web as a whole. What you do internally is your business... Requiring POST removes the need to write security consideration about the issues with GET.

> 6.
> 
> I'd like to see a paragraph on redelegation practices, but I'm not sure it
> belongs in the core as it's really more of a way of *using* refresh tokens and
> scopes in a slightly different way than it is really a *new* thing. All the
> mechanisms are there to support it, a recipe just hasn't been written out for
> it. Is there desire for an extension doc for this?

>From my experience, writing a draft works better than asking for interest. I am sure you'll find an audience.
 
EHL

v2.23.0 | Report a Bug | By Email