Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 09 March 2015 05:48 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551711A700C for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hYOV5z5YC8z for <oauth@ietfa.amsl.com>; Sun, 8 Mar 2015 22:48:51 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16DA61A7007 for <oauth@ietf.org>; Sun, 8 Mar 2015 22:48:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27690; q=dns/txt; s=iport; t=1425880131; x=1427089731; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=Pe7jhJD5D0KVghuBvAy6uefG0uWayjegEKqm3mrw45I=; b=NMrt5k9swkOlInFOZb9gBtX3YFtmRMNtzyeNGldp38F60aXSDB1pg3EJ gxL1SLhh0gmwQ0w+JLGj3IHq1jcTWp4fbmo24AexSSjPiVecWcuNsWpZf yLcZ4vl4LI3r2s+FrMhZL5GGa3dGaH8l46C1UO8IIJWwTDUrSjd+SKz3F k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0APDgBzM/1U/5tdJa1agkNDUloEgwavRI1DPIFwAQuFbgIcgQpNAQEBAQEBfIQPAQEBBAEBASAKQRcEAgEIDgMBAgEBAQsWBwMCAgIlCxMBAwYIAgQBEgiIEwMRDagcmxwBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixeCRIF5FgoNCgEGgmIvgRYFgUyDJAqLFYNkhC2CXDmCb4kfhhMjg25vAQGBQn8BAQE
X-IronPort-AV: E=Sophos;i="5.11,365,1422921600"; d="scan'208,217";a="130050345"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP; 09 Mar 2015 05:48:50 +0000
Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com [173.36.12.78]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t295mo1b031347 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Mar 2015 05:48:50 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-aln-x04.cisco.com ([173.36.12.78]) with mapi id 14.03.0195.001; Mon, 9 Mar 2015 00:48:49 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Bill Mills <wmills_92105@yahoo.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
Thread-Index: AQHQWD/GweO4O9/c5k2+8afKUY3J9Z0TcdhggAB8WAD//7OEQIAAWHyA//+sriA=
Date: Mon, 09 Mar 2015 05:48:48 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A366B1571@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A366B14BD@xmb-rcd-x10.cisco.com> <370734452.1179117.1425879579160.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <370734452.1179117.1425879579160.JavaMail.yahoo@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.41.238]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A366B1571xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yK7Si2gCiFzBN1e8iyF7uxzDWtQ>
Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 05:48:57 -0000
In this use case RS and AS could be implemented and operated by different providers, MTI solves the interop issue. -Tiru From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Monday, March 09, 2015 11:10 AM To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out? Explain to me why there should be one other than the desire to over-specify? Why is one so clearly superior to any of the various possibilities that it should be mandated? I do not think that there is any clearly superior mechanism and so making any particular one MTI is pointless and just likely to cause perfectly good implementations to be out of spec. On Sunday, March 8, 2015 10:24 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: Hi Bill, Can you please provide more details why mandating specific key distribution mechanism is not appropriate especially in case of loosely coupled systems ? -Tiru From: Bill Mills [mailto:wmills_92105@yahoo.com] Sent: Monday, March 09, 2015 10:27 AM To: Tirumaleswar Reddy (tireddy); Hannes Tschofenig; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out? I do not believe making any specific key distribution MTI is aproprpiate. On Sunday, March 8, 2015 8:06 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: Hi Hannes, http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-01#section-5.3 discusses long-term secret shared by the authorization server with the resource server but does not mention the out-of-band mechanism. In http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13#section-4.1.1 we had provided three mechanisms for long-term key establishment. In this use case RS and AS could be offered by the same provider (tightly-coupled) or by different providers (loosely-coupled). Thoughts on which one should be mandatory to implement ? (This question came up in ISEG review and probably would be a question for proof-of-possession work as well) Thanks and Regards, -Tiru > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofenig > Sent: Saturday, March 07, 2015 12:30 AM > To: oauth@ietf.org<mailto:oauth@ietf.org> > Subject: [OAUTH-WG] Fwd: [saag] tram draft - anyone willing to help out? > > Hi all, > > does anyone have free cycles to review > draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0 in a way > that is similar to the proof-of-possession work with a new access token format. > > Ciao > Hannes > > -------- Forwarded Message -------- > Subject: [saag] tram draft - anyone willing to help out? > Date: Fri, 06 Mar 2015 15:43:57 +0000 > From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> > To: saag@ietf.org<mailto:saag@ietf.org> <saag@ietf.org<mailto:saag@ietf.org>> > > > Hiya, > > There's a draft in IESG eval that attracted a bunch of perhaps fundamental > discusses and comments [1] about its security properties. I think this may be one > where the authors could do with a bit more help from the security > mafia^H^H^H^H^Hcommunity. > (I looked at their wg list and only see a v. thin smattering of names I'd recognise > from this list.) So if you're willing and have a little time, please let me know > and/or get in touch with the authors. > > And btw - this might not seem so important but I'd worry it may end up being a > major source of system level vulnerabilities for WebRTC deployments if we get it > wrong and many sites don't deploy usefully good security for this bit of the > WebRTC story. > > Thanks in advance, > S. > > [1] > https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ballot/ > > _______________________________________________ > saag mailing list > saag@ietf.org<mailto:saag@ietf.org> > https://www.ietf.org/mailman/listinfo/saag > > _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: [saag] tram draft - anyone willin… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Fwd: [saag] tram draft - anyone wi… Bill Mills