re-posting for cc to OAuth WG
On 25/12/2011 7:21 p.m., Amos Jeffries wrote:
On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
The OAUTH WG is creating a new authentication scheme for bearer tokens:
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
Reading section 2.3, it appears this method of transferring the
credentials is open to replay attacks when caching TLS middleware is
present. I believe this spec should mandate cache controls on
responses using that method. Otherwise a lot of HTTP compliant
middleware will feel free to store and supply the protected response
to later replay attacks.
During review, I wondered whether this might be a suitable scheme for
proxies; the draft doesn't currently specify it as such, and our list
of considerations for new schemes asks them to consider this.
Do any of the proxy implementers on the list have thoughts about this
/ possible interest in it?
I think it would be a good idea to prepare for. Quite a few admin
these days consider transit to be a service that needs authenticating
as much as any origin server resource. It might even encourage
progress on the TLS proxy connection developments we have been waiting
for.
AYJ
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
