Very helpful. EHL
From: Brian Eaton [mailto:bea...@google.com] Sent: Thursday, June 16, 2011 8:38 AM To: Eran Hammer-Lahav Cc: Brian Campbell; OAuth WG Subject: Re: [OAUTH-WG] Client authentication requirement On Wed, Jun 15, 2011 at 6:19 PM, Eran Hammer-Lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>> wrote: Your comment was that having client authentication makes it easier to recovery from an attack. I don't understand how the comments below about changing client secrets every 30 days are relevant. Are you suggesting to wait until the next routine secret cycle to revoke compromised credentials? Or that 30 days is a reasonable time period for ignoring an attack? Sorry, there are multiple good reasons to require client authentication for the access token endpoint. - if you need to recover from a compromise, changing the client credentials will prevent the attacker from abusing refresh tokens they have stolen. Changing a single client credential is much faster than revoking lots of refresh tokens. - if you want to follow best practices for management of authentication credentials, you should do periodic key rotation. Rotation of lots of refresh tokens is quite challenging. Rotation of client credentials is much easier. - if you want to bind refresh tokens to stronger authentication credentials, such as private keys stored in an HSM, you need to require client authentication when using the refresh token. Is that helpful? Cheers, Brian
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
