Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 09 March 2015 03:06 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D851A07BD for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 20:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAvrM5vm1DZN for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 20:06:09 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22B11A03E1 for <oauth@ietf.org>; Sun, 8 Mar 2015 20:06:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2554; q=dns/txt; s=iport; t=1425870369; x=1427079969; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=pcB+ELr+Dx3scrgiizNTtFj6BKD6uDmn7XDeHjnnjiI=; b=iAFxvlwHNAdfHUWRh6oSli1KKBcA//SItgH3+d5mxo9QMpJRg0S5bGzU Xk+14wzOsiFjhD6bS2CA7wId2vDUKIrjig72HICTtqqseWayOtYHhz09A wpcJyB0DKuaEJ1TYHqp2aDSY6IQBbGDL8lPunLpM7qvWGN899t0v9i6S/ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BABQDRDf1U/5tdJa1agwZSXr9yaYE9DIVuAoEkOBQBAQEBAQEBfIQPAQEBBAEBATc0CwwEAgEIEQECAQEBCxQJBycLFAMGCAIEAQ0FCIgnDcEWAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4sShD0xBwaDEYEUBYFMjiqDX4cAOYJmjxwjg25vAQGBQn8BAQE
X-IronPort-AV: E=Sophos;i="5.11,365,1422921600"; d="scan'208";a="129981286"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-8.cisco.com with ESMTP; 09 Mar 2015 03:06:09 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t29368Np021539 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Mar 2015 03:06:09 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Sun, 8 Mar 2015 22:06:08 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
Thread-Index: AQHQWD/GweO4O9/c5k2+8afKUY3J9Z0Tcdhg
Date: Mon, 09 Mar 2015 03:06:07 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A366B1364@xmb-rcd-x10.cisco.com>
References: <54F9CB3D.4000200@cs.tcd.ie> <54F9F932.7060701@gmx.net>
In-Reply-To: <54F9F932.7060701@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.41.238]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/xamhCultwqLaxuHibCZjrkZmNtI>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 03:06:11 -0000

Hi Hannes,

http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3 discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism.

In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1 we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled).

Thoughts on which one should be mandatory to implement ?
(This question came up in ISEG review and probably would be a question for proof-of-possession work as well)

Thanks and Regards,
-Tiru

> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Saturday, March 07, 2015 12:30 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
> 
> Hi all,
> 
> does anyone have free cycles to review
> draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way
> that is similar to the proof-of-possession work with a new access token format.
> 
> Ciao
> Hannes
> 
> -------- Forwarded Message --------
> Subject: [saag] tram draft - anyone willing to help out?
> Date: Fri, 06 Mar 2015 15:43:57 +0000
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> To: saag@ietf.org <saag@ietf.org>
> 
> 
> Hiya,
> 
> There's a draft in IESG eval that attracted a bunch of perhaps fundamental
> discusses and comments [1] about its security properties. I think this may be one
> where the authors could do with a bit more help from the security
> mafia^H^H^H^H^Hcommunity.
> (I looked at their wg list and only see a v. thin smattering of names I'd recognise
> from this list.) So if you're willing and have a little time, please let me know
> and/or get in touch with the authors.
> 
> And btw - this might not seem so important but I'd worry it may end up being a
> major source of system level vulnerabilities for WebRTC deployments if we get it
> wrong and many sites don't deploy usefully good security for this bit of the
> WebRTC story.
> 
> Thanks in advance,
> S.
> 
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 
>