Hi Hannes
On 26/11/12 19:01, Hannes Tschofenig wrote:
Hi Sergey,
as Phil said it would be helpful for us to receive reviews of this document:
http://tools.ietf.org/html/draft-tschofenig-oauth-security-00
The document lists requirements and threats.
Let me offer two possibly naive reasons why using MAC may help, one of
them is related to the security, another to the ease of HOK support on
the client
1. The most safe way to return MAC token to the client is to use a
two-way TLS due to the mac key also returned to the client. Two-Way TLS
offers a stronger support for getting the client authenticated along the
way too
2. Assuming HOK confirmation matters at all (and I believe it does),
IMHO it is much simpler for a basic client implementation to apply a MAC
signature algo and thus work with the OAuth2 servers expecting HOK
confirmations
One more reason is more about facilitating the further migration to 2.0
which I tried to outline in my response to Phil Hunt
Thanks, Sergey
Ciao
Hannes
On Nov 26, 2012, at 8:28 PM, Phil Hunt wrote:
If we want to get this done we have to get agreements on the requirements for
HOK. Several meetings ago (quebec) the group indicated that mac wasn't
appropriate to anyone's needs.
Some would argue that OAuth1 users arguably have less security than the simpler
bearer token /tls model in OAuth2. This just shows the real issue of
demonstrated need has not been properly defined and understood.
More dialog on use cases is very helpful to moving HOK/MAC/etc forward.
Phil
On 2012-11-26, at 10:15, Sergey Beryozkin<sberyoz...@gmail.com> wrote:
Hi
What needs to be done to complete the MAC token spec ? Without having it signed
off it will be difficult to get people working with OAuth 1.0 convinced to move
to 2.0.
I'm seeing another user request for getting OAuth 1.0 support extended further
because the user expects it is more secure, and I guess because it is proven to
work for people, and I guess because many OAuth 1.0 users feel that should stay
from OAuth 2.0 because of some bad press.
Without MAC being completed the division will continue, with even more
misleading anti-OAuth2 posts appearing (though I guess some of the better posts
point to some level of complexity in 2.0).
Is it a matter of a security expert validating the text, fixing few typos, and
basically signing it off ?
If someone is interested then I can provide the info offline on how it MAC
supported in our framework to get things tested easily and such...
Cheers, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
