My only uneducated view is that I do not want to deal with this in the MAC draft (which is being transform into a completely generic HTTP authentication scheme and will move out of this WG with the next draft). Other than that, I don't have an opinion.
EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of William J. Mills Sent: Tuesday, April 05, 2011 5:45 PM To: OAuth WG Subject: [OAUTH-WG] Channel binding and OAuth profiles In working on the SASL mechanism spec for OAuth we have to deal with Channel Binding. Sparing you the gory details there I believe that the right thing to do is to add the channel binding information into the tunneled HTTP/OAuth authentication. For those OAuth profiles like MAC and SAML that have shared secrets and signatures the channel binding information should be added into the signed payload. Should the deinition of this be in the SASL mechanism spec (updating the OAuth profile behavior) or is the right place for this to have each OAuth profile define how channel binding is carried individually? Using MAC as a strawman, the only convenient placess to add this payload are the body and as an additional query parameter. Both of these have drawbacks, of the two I nominally prefer defining a new query parameter for this case. The usage in SASL is pretty limited at this time, so query parameter will work just fine. Given OAuth is primarily defined in an HTTP context I don't think I'm stepping on anything because I doubt anyone else is dealing with Channel Binding. Mechanisms that have a shared secret and signing could actually use CB to guarantee no MITM in an SSL context, which some would argue has significant value. If anyone has strong opinions on this topic please let me know. Thanks, -bill
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
