Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

Amos Jeffries <squid3@treenet.co.nz> Tue, 24 April 2012 02:10 UTC

Return-Path: <squid3@treenet.co.nz>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAA0F21F870E for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 19:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[AWL=-4.767, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HOST_EQ_STATIC=1.172]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x95AWEp3Nu5G for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 19:10:10 -0700 (PDT)
Received: from treenet.co.nz (ip-58-28-153-233.static-xdsl.xnet.co.nz [58.28.153.233]) by ietfa.amsl.com (Postfix) with ESMTP id 0B20E21F8700 for <oauth@ietf.org>; Mon, 23 Apr 2012 19:10:09 -0700 (PDT)
Received: by treenet.co.nz (Postfix, from userid 33) id E7E23E6E76; Tue, 24 Apr 2012 14:10:06 +1200 (NZST)
To: <oauth@ietf.org>
X-PHP-Originating-Script: 0:main.inc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 24 Apr 2012 14:10:05 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
In-Reply-To: <20120424014600.2289.60899.idtracker@ietfa.amsl.com>
References: <20120424014600.2289.60899.idtracker@ietfa.amsl.com>
Message-ID: <5ad1b8b31aa38e4c0ab3c8012a1b8290@treenet.co.nz>
X-Sender: squid3@treenet.co.nz
User-Agent: Roundcube Webmail/0.7.1
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 02:10:11 -0000

On 24.04.2012 13:46, internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the Web Authorization
> Protocol Working Group of the IETF.
>
> 	Title           : The OAuth 2.0 Authorization Protocol: Bearer 
> Tokens
> 	Author(s)       : Michael B. Jones
>                           Dick Hardt
>                           David Recordon
> 	Filename        : draft-ietf-oauth-v2-bearer-19.txt
> 	Pages           : 24
> 	Date            : 2012-04-23
>
>    This specification describes how to use bearer tokens in HTTP
>    requests to access OAuth 2.0 protected resources.  Any party in
>    possession of a bearer token (a "bearer") can use it to get access 
> to
>    the associated resources (without demonstrating possession of a
>    cryptographic key).  To prevent misuse, bearer tokens need to be
>    protected from disclosure in storage and in transport.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt



The section 2.3 (URL Query Parameter) text is still lacking explicit 
and specific security requirements. The overarching TLS requirement is 
good in general, but insufficient in the presence of HTTP intermediaries 
on the TLS connection path as is becoming a common practice.

The upcoming HTTPbis specs document this issue as a requirement for new 
auth schemes such as Bearer:

http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
"
       Therefore, new authentication schemes which choose not to carry
       credentials in the Authorization header (e.g., using a newly
       defined header) will need to explicitly disallow caching, by
       mandating the use of either Cache-Control request directives
       (e.g., "no-store") or response directives (e.g., "private").
"


AYJ