Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 04 February 2013 17:09 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F7A21F8A04 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 09:09:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.339
X-Spam-Level:
X-Spam-Status: No, score=-102.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4u9UUOzK-eKj for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 09:09:41 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id A269821F89FD for <oauth@ietf.org>; Mon, 4 Feb 2013 09:09:35 -0800 (PST)
Received: from mailout-de.gmx.net ([10.1.76.35]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0Lsdt9-1UzHZH1wvx-012GXF for <oauth@ietf.org>; Mon, 04 Feb 2013 18:09:34 +0100
Received: (qmail invoked by alias); 04 Feb 2013 17:09:34 -0000
Received: from a88-115-219-140.elisa-laajakaista.fi (EHLO [192.168.100.100]) [88.115.219.140] by mail.gmx.net (mp035) with SMTP; 04 Feb 2013 18:09:34 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX18oMdkcBc4ojfk5PrK6fW/J57Kw0VCGpTtx0HXNDH XrFEJZbDgRpfk3
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A9483E53D9@BY2PRD0411MB441.namprd04.prod.outlook.com>
Date: Mon, 4 Feb 2013 19:09:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <22CA7ED1-7C56-4358-B69B-9A3067D0829B@gmx.net>
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com> <510FE88B.9040200@gmail.com> <59E470B10C4630419ED717AC79FCF9A9483E53D9@BY2PRD0411MB441.namprd04.prod.outlook.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 17:09:41 -0000

Hi Adam, 

we had 3 conference calls to discuss the security requirements and now we have started the design team work. In fact the first call of the design team starts in 45 mins and the conference call details have been sent to the list. You are also welcome to join; it is an open design team. 

The security requirements document had been updated and I have distributed the meeting minutes to the list. 
All the drafts will be refreshed in time for the submission deadline. 

Ciao
Hannes

On Feb 4, 2013, at 7:02 PM, Lewis Adam-CAL022 wrote:

> Speaking of ... what is the status of the HOK work?  The last draft has expired and its fallen off of the OAuth page now.  
> 
> 
> 
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Monday, February 04, 2013 10:58 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
> 
> On 04/02/13 16:27, William Mills wrote:
>> There are two efforts at signed token types: MAC which is still a
>> possibility if we wake up and do it,
> 
> I'd rephrase it slightly differently, it is a possibility right now, 
> OAuth2 supports custom tokens, the fact that OAuth2 may not formally 
> approve MAC won't preclude the use of MAC in the OAuth2 compliant manner.
> 
> Of course OAuth2 putting a stamp of approval will make it more visible, 
> without it, the existing MAC draft issues (if any) will end up being 
> addressed at the specific implementations level only - not ideal for the 
> community at large but it is up to OAuth2...
> 
> Cheers, Sergey
> 
> 
>> and the "Holder Of Key" type tokens.
>> 
>> There are a lot of folks that agree with you.
>> 
>> ------------------------------------------------------------------------
>> *From:* L. Preston Sego III <LPSego3@gmail.com>
>> *To:* oauth@ietf.org
>> *Sent:* Friday, February 1, 2013 7:37 AM
>> *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2
>> requests
>> 
>> In an oauth2 request, the access token is passed along in the header,
>> with nothing else.
>> 
>> As I understand it, oauth2 was designed to be simple for everyone to
>> use. And while, that's true, I don't really like how all of the security
>> is reliant on SSL.
>> 
>> what if an attack can strip away SSL using a tool such as sslstrip (or
>> whatever else would be more suitable for modern https)? They would be
>> able to see the access token and start forging whatever request he or
>> she wants to.
>> 
>> Why not do some sort of RSA-type public-private key thing like back in
>> Oauth1, where there is verification of the payload on each request? Just
>> use a better algorithm?
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth