Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 09 March 2015 03:06 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D851A07BD for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 20:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAvrM5vm1DZN for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 20:06:09 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22B11A03E1 for <oauth@ietf.org>; Sun, 8 Mar 2015 20:06:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2554; q=dns/txt; s=iport; t=1425870369; x=1427079969; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=pcB+ELr+Dx3scrgiizNTtFj6BKD6uDmn7XDeHjnnjiI=; b=iAFxvlwHNAdfHUWRh6oSli1KKBcA//SItgH3+d5mxo9QMpJRg0S5bGzU Xk+14wzOsiFjhD6bS2CA7wId2vDUKIrjig72HICTtqqseWayOtYHhz09A wpcJyB0DKuaEJ1TYHqp2aDSY6IQBbGDL8lPunLpM7qvWGN899t0v9i6S/ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BABQDRDf1U/5tdJa1agwZSXr9yaYE9DIVuAoEkOBQBAQEBAQEBfIQPAQEBBAEBATc0CwwEAgEIEQECAQEBCxQJBycLFAMGCAIEAQ0FCIgnDcEWAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4sShD0xBwaDEYEUBYFMjiqDX4cAOYJmjxwjg25vAQGBQn8BAQE
X-IronPort-AV: E=Sophos;i="5.11,365,1422921600"; d="scan'208";a="129981286"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-8.cisco.com with ESMTP; 09 Mar 2015 03:06:09 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t29368Np021539 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Mar 2015 03:06:09 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Sun, 8 Mar 2015 22:06:08 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
Thread-Index: AQHQWD/GweO4O9/c5k2+8afKUY3J9Z0Tcdhg
Date: Mon, 09 Mar 2015 03:06:07 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A366B1364@xmb-rcd-x10.cisco.com>
References: <54F9CB3D.4000200@cs.tcd.ie> <54F9F932.7060701@gmx.net>
In-Reply-To: <54F9F932.7060701@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.41.238]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/xamhCultwqLaxuHibCZjrkZmNtI>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 03:06:11 -0000
Hi Hannes, http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3 discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism. In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1 we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled). Thoughts on which one should be mandatory to implement ? (This question came up in ISEG review and probably would be a question for proof-of-possession work as well) Thanks and Regards, -Tiru > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Saturday, March 07, 2015 12:30 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out? > > Hi all, > > does anyone have free cycles to review > draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way > that is similar to the proof-of-possession work with a new access token format. > > Ciao > Hannes > > -------- Forwarded Message -------- > Subject: [saag] tram draft - anyone willing to help out? > Date: Fri, 06 Mar 2015 15:43:57 +0000 > From: Stephen Farrell <stephen.farrell@cs.tcd.ie> > To: saag@ietf.org <saag@ietf.org> > > > Hiya, > > There's a draft in IESG eval that attracted a bunch of perhaps fundamental > discusses and comments [1] about its security properties. I think this may be one > where the authors could do with a bit more help from the security > mafia^H^H^H^H^Hcommunity. > (I looked at their wg list and only see a v. thin smattering of names I'd recognise > from this list.) So if you're willing and have a little time, please let me know > and/or get in touch with the authors. > > And btw - this might not seem so important but I'd worry it may end up being a > major source of system level vulnerabilities for WebRTC deployments if we get it > wrong and many sites don't deploy usefully good security for this bit of the > WebRTC story. > > Thanks in advance, > S. > > [1] > https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/ > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > >
- [OAUTH-WG] Fwd: [saag] tram draft - anyone willin… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills