I think it's wrong to specify in the OAuth GENERAL security consideration, a consideration only for a specific type of token.
2011/10/31 Dan Taflin <dan.taf...@gettyimages.com> > To be consistent, section 10.3 should probably specify that the > requirement of confidentiality in transit applies specifically to BEARER > tokens.**** > > ** ** > > I would like to see this relaxed further though, as I argued last week, to > accommodate situations where a token is scoped to a limited set of data > that isn’t particularly sensitive. My example was image search. It seems > too restrictive to require TLS for an operation that does nothing more than > what anyone could do by pointing a browser at our web site. Http cookies > can be specified as either requiring or not requiring secure transport; it > seems reasonable to allow the same option for bearer tokens, which fulfill > an analogous role.**** > > ** ** > > Dan**** > > ** ** > > *From:* Marco De Nadai [mailto:denad...@gmail.com] > *Sent:* Sunday, October 30, 2011 9:44 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Security Considerations - Access Tokens**** > > ** ** > > Hi all,**** > > ** ** > > i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 > there is this statment: **** > > ** ** > > Access token (as well as any access token type-specific attributes) MUST > be kept confidential in transit and storage, and only shared among the > authorization server, the resource servers the access token is valid for, > and the client to whom the access token is issued.**** > > ** ** > > BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access > Authentication, I can request a resource with Access Token sent in clear. > This invalidates the "Access token (as well as any access token > type-specific attributes) MUST be kept confidential in transit and storage". > **** > > ** ** > > Is it my error?**** > > ** ** > > -- **** > > *Marco De Nadai***** > > http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali> > **** > > ** ** > -- *Marco De Nadai* http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
