Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Pete Resnick <presnick@qti.qualcomm.com> Fri, 17 October 2014 17:26 UTC

Message-ID: <54415122.9030902@qti.qualcomm.com>
Date: Fri, 17 Oct 2014 12:25:54 -0500
From: Pete Resnick <presnick@qti.qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com> <19E82AEC-A5DA-41E9-9370-3FF16264DEAE@ve7jtb.com> <F47576F0-9B71-4CDE-88BB-487993A2E661@oracle.com> <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB16289@TK5EX14MBXC286.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------040105000000030001020005"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/uyAyumbStSg2AO2rIA2Lsmu5ym0
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Richard Barnes <rlb@ipv.sx>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
Precedence: list

On 10/17/14 12:09 PM, Mike Jones wrote:
>
> This is the standard mitigation for a known set of actual attacks.  We 
> shouldn't even consider making it optional.
>

Do you mean you shouldn't consider making it optional for HoK? Again, 
making it clear that the MUST applies only to bearer assertions, and 
that future extensions for HoK might have different requirements, is all 
that is being asked for here.

pr

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478

[OAUTH-WG] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Pete Resnick
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Kathleen Moriarty
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones