Re: [OAUTH-WG] Security Considerations - Access Tokens

Mon, 31 Oct 2011 09:33:56 -0700 

Yeah, there's a punt here...  I believe it's recognizing that people will in 
fact use bearer tokens on a plaintext channel, the slight mitigation being 
shorter lifespan of the token.  



________________________________
From: Dan Taflin <dan.taf...@gettyimages.com>
To: Marco De Nadai <denad...@gmail.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Monday, October 31, 2011 8:54 AM
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens


 
To be consistent, section 10.3 should probably specify that the requirement of 
confidentiality in transit applies specifically to BEARER tokens.
 
I would like to see this relaxed further though, as I argued last week, to 
accommodate situations where a token is scoped to a limited set of data that 
isn’t particularly sensitive. My example was image search. It seems too 
restrictive to require TLS for an operation that does nothing more than what 
anyone could do by pointing a browser at our web site. Http cookies can be 
specified as either requiring or not requiring secure transport; it seems 
reasonable to allow the same option for bearer tokens, which fulfill an 
analogous role.
 
Dan
 
From:Marco De Nadai [mailto:denad...@gmail.com] 
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens
 
Hi all,
 
i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is 
this statment: 
 
Access token (as well as any access token type-specific attributes) MUST be 
kept confidential in transit and storage, and only shared among the 
authorization server, the resource servers the access token is valid for, and 
the client to whom the access token is issued.
 
BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access 
Authentication, I can request a resource with Access Token sent in clear. This 
invalidates the "Access token (as well as any access token type-specific 
attributes) MUST be kept confidential in transit and storage".
 
Is it my error?
 
-- 
Marco De Nadai
http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali
 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to