Re: [OAUTH-WG] OAuth MAC token type draft

Wed, 12 Jan 2011 11:57:06 -0800 

Eran,

I still don't understand, sorry.
Here is the scenario: When a principal that impersonates the resource server gets a token (already signed and ready to go, of course) it can present it to the real resource server and get access to resources.
This is what I thought Torsten meant by "token abuse", and what, for sure, I meant. I don't see how this threat is addressed. I do think it must be addressed.
The simplest thing, I believe, is always to require server authentication. (This will cover the case of the counterfeit servers, but it would not cover any case in which the token is intercepted or stolen. For the latter case client authentication must be nundatory.) 

Igor


Eran Hammer-Lahav wrote:

-----Original Message-----
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Monday, January 10, 2011 1:08 PM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] OAuth MAC token type draft

Eran,

- Authentication schemes
You propose to use the authentication scheme name "OAuth2" for the
WWW-Authenticate header but another scheme name "MAC" for the
authorization header. I've never seen such an asymmetric approach before.
Don't you think people get confused about that? Moreover, the bearer draft
also uses the name "OAuth2" in the authorization header.  Why this
difference? Why don't you just add some parameters to the "OAuth2"
scheme?


This was proposed by James Manger and discussed earlier on the list. I'll let 
James explain it.


- 6.3. Spoofing by Counterfeit Servers
The protocol does not support server authentication but it should prevent
token abuse by the Counterfeit server, shouldn't it?


It does because the token secret is never sent.

EHL


regards,
Torsten.

Am 09.01.2011 18:18, schrieb Eran Hammer-Lahav:
http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token

Feedback appreciated, especially for section 3.2.1 (the new normalized
request string) which is an attempt to take the HMAC-SHA1 flow from 1.0a
and simplify it.

No body signature support yet, but will add that in -01.

EHL


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to