IETF Logo Mail Archive

Re: [OAUTH-WG] [Unbearable] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...

Phil Hunt <phil.hunt@oracle.com> Sat, 06 December 2014 19:49 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 369E21A1B15; Sat, 6 Dec 2014 11:49:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swcoM4JQ5Uj4; Sat, 6 Dec 2014 11:49:14 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B63EB1A1B06; Sat, 6 Dec 2014 11:49:14 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sB6Jn8UE002342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 6 Dec 2014 19:49:09 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB6Jn6iq006058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 6 Dec 2014 19:49:07 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB6Jn6E4028719; Sat, 6 Dec 2014 19:49:06 GMT
Received: from [10.0.1.3] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 06 Dec 2014 11:49:06 -0800
References: <5481E0A7.2090604@cs.tcd.ie> <2DF4B463-DD15-42BE-85AE-121C14E19A8F@oracle.com> <548330CC.20906@cs.tcd.ie>
Mime-Version: 1.0 (1.0)
In-Reply-To: <548330CC.20906@cs.tcd.ie>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <B72B8742-2376-4217-9A78-129C6A429E5C@oracle.com>
X-Mailer: iPhone Mail (12B435)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Sat, 06 Dec 2014 11:49:02 -0800
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/xwYVYhUMQHAD80crRt-q87adalQ
Cc: "unbearable@ietf.org" <unbearable@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Unbearable] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 19:49:16 -0000

:-)

Phil

> On Dec 6, 2014, at 08:37, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> 
> Hi Phil,
> 
> Good points that need discussing but I'd suggest we give the new
> list a few days to allow folks to subscribe and then have that
> discussion.
> 
> Thanks,
> S.
> 
>> On 06/12/14 16:08, Phil Hunt wrote:
>> On the surface (as currently presented) this work appears to duplicate the POP work going on in OAuth.  The key difference is that this work is focused on using ALPN to bind tokens to the TLS channel. From a use case perspective it is very close to OAuth POP, and a specific use case of the current OAuth POP (proof of possession) architecture.
>> 
>> I note that the OAuth WG had originally dropped TLS binding in part because TLS was not always end-to-end in cases where load-balancers where used. The identified use-cases required end-to-end proof of possession (e.g. to prevent token re-use and relaying).
>> 
>> Never-the-less, events and approaches change and this is worth discussing (again).  
>> 
>> I think the architectural/protocol issues around the use of load balancers have to be discussed as the current ALPN proposal may be unbearable for many. 
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>>> On Dec 5, 2014, at 8:43 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>> 
>>> 
>>> Hiya,
>>> 
>>> Following up on the presentation at IETF-91 on this topic, [1]
>>> we've created a new list [2] for moving that along. The list
>>> description is:
>>> 
>>> "This list is for discussion of proposals for doing better than bearer
>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications.
>>> The specific goal is chartering a WG focused on preventing security
>>> token export and replay attacks."
>>> 
>>> If you're interested please join in.
>>> 
>>> Thanks to Vinod and Andrei for agreeing to admin the list.
>>> 
>>> We'll kick off discussion in a few days when folks have had
>>> a chance to subscribe.
>>> 
>>> Cheers,
>>> S.
>>> 
>>> PS: Please don't reply-all to this, join the new list, wait
>>> a few days and then say what you need to say:-)
>>> 
>>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf
>>> [2] https://www.ietf.org/mailman/listinfo/unbearable
>>> 
>>> _______________________________________________
>>> http-auth mailing list
>>> http-auth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/http-auth
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable

v2.19.0 | Report a Bug | By Email