IETF Logo Mail Archive

Re: [OAUTH-WG] Cache-Control headers for Bearer URI Query Parameter method

William Mills <wmills@yahoo-inc.com> Thu, 17 May 2012 22:32 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3AC21F8809 for <oauth@ietfa.amsl.com>; Thu, 17 May 2012 15:32:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.214
X-Spam-Level:
X-Spam-Status: No, score=-17.214 tagged_above=-999 required=5 tests=[AWL=0.384, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8a4FXYxiqTK for <oauth@ietfa.amsl.com>; Thu, 17 May 2012 15:32:57 -0700 (PDT)
Received: from nm27.bullet.mail.bf1.yahoo.com (nm27.bullet.mail.bf1.yahoo.com [98.139.212.186]) by ietfa.amsl.com (Postfix) with SMTP id BC3D921F87FD for <oauth@ietf.org>; Thu, 17 May 2012 15:32:56 -0700 (PDT)
Received: from [98.139.215.140] by nm27.bullet.mail.bf1.yahoo.com with NNFMP; 17 May 2012 22:32:56 -0000
Received: from [98.139.212.205] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 17 May 2012 22:32:56 -0000
Received: from [127.0.0.1] by omp1014.mail.bf1.yahoo.com with NNFMP; 17 May 2012 22:32:56 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 169001.35422.bm@omp1014.mail.bf1.yahoo.com
Received: (qmail 13372 invoked by uid 60001); 17 May 2012 22:32:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1337293975; bh=xZShf59q0SAYEjYb/duBw3bEwq99PNuVPwCtrjY8tn8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=MUWuM+CLPOr7kTYSkJpu/16X6loNaoott4MNfCQww5xC/fXLW78tp0eevlNQpepULyu0XSDd/CmnQU2VjUrl2ETpbgPRbzE1QVrKU+pTCv9DTctDkm2/Wbv0I7KzVxzaLmoe7bxW+r8QU7xTZaTFVmcBvDnSqAZEAWFvkshC18M=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=cscYKzd9jlZmy3mFeZKMqxr8RLuZ2UlBnoxzhGnyJnlmnJFmH8i2/LlFJTvtCO0qt3PttsMMS/V5tthc+Q8UMVhUN5qbMfiS/seNsqDhRsOSgXH04GyHtd4gbmCU4D46r0Jwsuv23iWifj0saNjGlGJnMafcS3u7/uFSEL1dFZw=;
X-YMail-OSG: 1iDwSpEVM1m3EMVWDyLgZQ5NJd9X.57hb8t8TD9JzX5Igxx FbchsTmIZKZF8t3aHXhwqiVW5CLa8SW8sPDmdLwYtjX.upQuzWi1817.fGUc Qz9DGSsgzgOycXWh5mnWq1vF4Okgbd0gO3eVUfzB07EHJfh_8.ThrpRr_csK RlT4rRqXHJuGhe5v3wQ_bp3V1H3WJUHFGhJVSpjrhyO7P9EMWTGuGeouXEgx PBiV3vEyW7rF6Z_JUfRerZlkfFgUv9m47REm21RkUy8MmfxzriPXb9gSiIDQ wvZsPUtk0GznujhFg3LFGx.q4iRXNGPwyG.xk_QOqW7jrxApp62Kk8cN1v_D Mcf2rj2zD11g.lIx29np.IDp6l9jax02h7uil150HuMRBX9pysa6mXWJIYsM fouIft.6tZ9MSqMltjqx.NwvAL0_FbAanuLKSBhHdwn0FsKCkhQ--
Received: from [209.131.51.116] by web31812.mail.mud.yahoo.com via HTTP; Thu, 17 May 2012 15:32:55 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.118.349524
References: <4E1F6AAD24975D4BA5B16804296739436650C821@TK5EX14MBXC284.redmond.corp.microsoft.com>
Message-ID: <1337293975.5655.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Thu, 17 May 2012 15:32:55 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436650C821@TK5EX14MBXC284.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-1457185695-1337293975=:5655"
Subject: Re: [OAUTH-WG] Cache-Control headers for Bearer URI Query Parameter method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2012 22:32:58 -0000

That works.




>________________________________
> From: Mike Jones <Michael.Jones@microsoft.com>
>To: "oauth@ietf.org" <oauth@ietf.org> 
>Sent: Thursday, May 17, 2012 3:12 PM
>Subject: [OAUTH-WG] Cache-Control headers for Bearer URI Query Parameter method
> 
>
> 
>Dear working group members:
> 
>I'm going through the remaining open issues that have been raised about the Bearer spec so as to be ready to publish an updated draft once the outstanding consensus call issues are resolved.
> 
>Amos Jeffries had cited this requirement in the HTTPbis spec (
http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1):
> 
>   o  The credentials carried in an Authorization header field are
>      specific to the User Agent, and therefore have the same effect on
>      HTTP caches as the "private" Cache-Control response directive,
>      within the scope of the request they appear in.
> 
>      Therefore, new authentication schemes which choose not to carry
>      credentials in the Authorization header (e.g., using a newly
>      defined header) will need to explicitly disallow caching, by
>      mandating the use of either Cache-Control request directives
>      (e.g., "no-store") or response directives (e.g., "private").
> 
>I propose to add the following text in order to satisfy this requirement.  I have changed Amos' MUSTs to SHOULDs because, in practice, applications that have no option but to use the URI Query Parameter method are likely to also not have control over the request's Cache-Control directives (just as they do not have the ability to use an "Authorization: Bearer" header value):
> 
>    Clients using the URI Query Parameter method SHOULD also send a
>    Cache-Control header containing the "no-store" option.  Server success
>    (2XX status) responses to these requests SHOULD contain a Cache-Control
>    header with the "private" option.
> 
>Comments?
> 
>                                                                -- Mike
> 
>-----Original Message-----
>From: Amos Jeffries [mailto:squid3@treenet.co.nz] 
>Sent: Monday, April 23, 2012 10:13 PM
>To: Mike Jones
>Cc: oauth@ietf.org
>Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
> 
>On 24/04/2012 4:33 p.m., Mike Jones wrote:
>> What specific language would you suggest be added to what section(s)?
>>  
>>                                                             -- Mike
> 
> 
>Perhapse the last paragraph appended:
>"
> 
>    Because of the security weaknesses associated with the URI method
>    (see Section 5), including the high likelihood that the URL
>    containing the access token will be logged, it SHOULD NOT be used
>    unless it is impossible to transport the access token in the
>    "Authorization" request header field or the HTTP request entity-body.
>    Resource servers compliant with this specification MAY support this
>    method.
> 
>    Clients requesting URL containing the access token MUST also send a
>    Cache-Control header containing the "no-store" option. Server success
>    (2xx status) responses to these requests MUST contain a Cache-Control
>    header with the "private" option.
> 
>"
> 
>I'm a little suspicious that the "SHOUDL NOT" in that top paragraph likely should be a MUST NOT to further discourage needless use.
> 
> 
>AYJ
> 
> 
>>  
>> -----Original Message-----
>> From: oauth-bounces@ietf.org On Behalf Of Amos Jeffries
>> Sent: Monday, April 23, 2012 7:10 PM
>> To: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
>>  
>> On 24.04.2012 13:46, internet-drafts@ietf.org wrote:
>>> A New Internet-Draft is available from the on-line Internet-Drafts 
>>> directories. This draft is a work item of the Web Authorization 
>>> Protocol Working Group of the IETF.
>>>  
>>>           Title           : The OAuth 2.0 Authorization Protocol: Bearer
>>> Tokens
>>>           Author(s)       : Michael B. Jones
>>>                            Dick Hardt
>>>                            David Recordon
>>>           Filename        : draft-ietf-oauth-v2-bearer-19.txt
>>>           Pages           : 24
>>>           Date            : 2012-04-23
>>>  
>>>     This specification describes how to use bearer tokens in HTTP
>>>     requests to access OAuth 2.0 protected resources.  Any party in
>>>     possession of a bearer token (a "bearer") can use it to get 
>>> access to
>>>     the associated resources (without demonstrating possession of a
>>>     cryptographic key).  To prevent misuse, bearer tokens need to be
>>>     protected from disclosure in storage and in transport.
>>>  
>>>  
>>> A URL for this Internet-Draft is:
>>> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt
>>  
>>  
>> The section 2.3 (URL Query Parameter) text is still lacking explicit and specific security requirements. The overarching TLS requirement is good in general, but insufficient in the presence of HTTP intermediaries on the TLS connection path as is becoming a common practice.
>>  
>> The upcoming HTTPbis specs document this issue as a requirement for new auth schemes such as Bearer:
>>  
>> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
>> "
>>         Therefore, new authentication schemes which choose not to carry
>>         credentials in the Authorization header (e.g., using a newly
>>         defined header) will need to explicitly disallow caching, by
>>         mandating the use of either Cache-Control request directives
>>         (e.g., "no-store") or response directives (e.g., "private").
>> "
>>  
>>  
>> AYJ
>>  
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>  
>>  
> 
> 
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email