Re: [OAUTH-WG] Token Transfer Protocol
George Fletcher <gffletch@aol.com> Tue, 19 October 2010 18:14 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E61153A6882 for <oauth@core3.amsl.com>; Tue, 19 Oct 2010 11:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.63
X-Spam-Level:
X-Spam-Status: No, score=-1.63 tagged_above=-999 required=5 tests=[AWL=0.368, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id em0dVqGmTayN for <oauth@core3.amsl.com>; Tue, 19 Oct 2010 11:14:27 -0700 (PDT)
Received: from imr-da02.mx.aol.com (imr-da02.mx.aol.com [205.188.105.144]) by core3.amsl.com (Postfix) with ESMTP id 4D16A3A67AB for <oauth@ietf.org>; Tue, 19 Oct 2010 11:14:27 -0700 (PDT)
Received: from mtaout-da02.r1000.mx.aol.com (mtaout-da02.r1000.mx.aol.com [172.29.51.130]) by imr-da02.mx.aol.com (8.14.1/8.14.1) with ESMTP id o9JIFkYN024381; Tue, 19 Oct 2010 14:15:46 -0400
Received: from palantir.local (unknown [10.172.2.144]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 1B3AAE0002AB; Tue, 19 Oct 2010 14:15:42 -0400 (EDT)
Message-ID: <4CBDE04C.1000500@aol.com>
Date: Tue, 19 Oct 2010 14:15:40 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: oauth@ietf.org
References: <4CBC6FC0.5040708@cs.uni-goettingen.de>
In-Reply-To: <4CBC6FC0.5040708@cs.uni-goettingen.de>
Content-Type: multipart/alternative; boundary="------------020409070901000401020001"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:421673056:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33824cbde04e4019
X-AOL-IP: 10.172.2.144
Subject: Re: [OAUTH-WG] Token Transfer Protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 18:14:29 -0000
Question on the Reflection-Key parameter when it is generated from the source IP and port pair. Is the server receiving the request supposed to verify that the data in the Reflection-Key matches the data of the inbound connection? If so, then I think NAT'ing firewalls, proxies and network SSL off-loaders (e.g. netscalers) will break the security mechanism. Thanks, George On 10/18/10 12:03 PM, Niklas Neumann wrote: > Hello everybody, > > I am currently working on a projected related to authentication and > secure token transfer between multiple devices. As such we are > employing a simple protocol that handles token transfers independent > of the actual type of token. We have adapted the protocol to be used > with OAuth tokens and submitted it as an Internet Draft: > http://tools.ietf.org/html/draft-neumann-oauth-token-transfer > > I was wondering if there is interest in employing such a protocol in > cases where the HTTP redirection schemes of OAuth are not available or > not working well (e.g. desktop applications without access to a user > agent or authentication from a different device/application than the > one accessing the consumer). > > Compared to other proposals such as > draft-dehora-farrell-oauth-accesstoken-creds the STTP is more > heavyweight but in turn it also has more options. With regards to > authentication we didn't use SASL for complexity reasons in our work > initialy but I don't see any reason not to include it if this is > deemed more appropriate. > > The work that the draft is based on is still ongoing. Please > understand the draft as no more than a discussion proposal on how > OAuth could be opened to non-web-based environments and scenarios that > involve multiple devices without overloading the OAuth specification > itself. I am happy to further improve the draft if you think this > might be a viable option. > > Best regards > Niklas >
- [OAUTH-WG] Token Transfer Protocol Niklas Neumann
- Re: [OAUTH-WG] Token Transfer Protocol Justin Richer
- Re: [OAUTH-WG] Token Transfer Protocol Igor Faynberg
- Re: [OAUTH-WG] Token Transfer Protocol Marius Scurtescu
- Re: [OAUTH-WG] Token Transfer Protocol Niklas Neumann
- Re: [OAUTH-WG] Token Transfer Protocol George Fletcher
- Re: [OAUTH-WG] Token Transfer Protocol Niklas Neumann