Brian,
You are asking many interesting questions--maybe we should continue this
when we meet in Anaheim. (The nights are getting shorter...)
In short, yes, non-repudiation, in general, is a very tough thing. We
had been having long discussions with Steve Bellovin about that in
PINT/SPIRITS t
Quick feedback...
On 4 Mar 2010, at 5:42 PM, Dick Hardt wrote:
> Hi Eve
>
> Looking at the WRAP oriented comments in the spec, here are some comments /
> questions:
>
> Note
> WRAP doesn't seem to say HTTPS is required for the user authorization URL; is
> this a bug in the WRAP spec? If not,
Hi all,
One of the things that's been a primary focus of both today's WG call
and last week's call is what are the specific use cases for
signatures?
- Why are signatures needed?
- end2end message-level security (w/ or w/o HTTPS) in order to prevent
intermediaries from tampering messages -
On Thu, Mar 4, 2010 at 10:18 PM, Igor Faynberg
wrote:
> The secure channel only delivers a request (or a token). But there is no
> proof of authentication (or the means for non-repudiation) in the token
> itself, unless the whole session has been recorded (and the key for it has
> been stored).
T
Dick Hardt wrote:
...
If there is a secure channel between the Client and the PR, and the token is
only accepted at one Client. What other advantages are there to the Client
signing that you don't get from a bearer token?
...
The secure channel can only protect a session, not the data that ne
On 2010-03-04, at 9:31 PM, Igor Faynberg wrote:
>
>
> Dick Hardt wrote:
>> On 2010-03-04, at 12:27 PM, Igor Faynberg wrote:
>> ...
- Why are signatures needed?
>>> 1) For authentication
>>>
>>> 2) For ensuring integrity
>>>
>>> 3) For non-repudiation
>>>
>>
>> Those are
As was discussed on the OAuth list, desktop apps can NOT be secured, so there
is no way to ensure it really is the desktop app you think it is. For most
phone platforms, this is also the case. For totally locked platforms where the
app is part of the OS (xbox, PS3, some phones, settop boxes) --
Dick Hardt wrote:
On 2010-03-04, at 12:27 PM, Igor Faynberg wrote:
...
- Why are signatures needed?
1) For authentication
2) For ensuring integrity
3) For non-repudiation
Those are the general capabilities of signatures. "Why does the Client need to sign
the request / token
+ietf list
On Mar 4, 2010, at 8:16 PM, Jason Hullinger wrote:
I think there are probably going to be more instances of providers
needing this than otherwise. The current Username and Password
profile is not a solution in a for every sense, and there clearly is
a need for a secure protoco
I could have some commentary on the mixed approach as well.
I've been contemplating extending the WRAP draft to include signatures once the
requirements / capabilities of signatures was clear.
-- Dick
On 2010-03-04, at 4:48 PM, David Recordon wrote:
> Cool. Happy to share my intro time with E
Thanks Eve, comments inserted ...
On 2010-03-04, at 12:51 PM, Eve Maler wrote:
> As requested on today's call, here's a description of the places where UMA
> seems to need "more" than what the WRAP paradigm offers (both profiling and
> extending), based on the proposal at:
>
> http://kantarai
Hi Eve
Looking at the WRAP oriented comments in the spec, here are some comments /
questions:
Note
WRAP doesn't seem to say HTTPS is required for the user authorization URL; is
this a bug in the WRAP spec? If not, is it a good idea for us to profile it in
this way? Finally, is this the right p
Cool. Happy to share my intro time with Eran/Chris/Blain if they'd
like as well.
On Thu, Mar 4, 2010 at 2:29 PM, Peter Saint-Andre wrote:
>
>
> Based on our discussion in the conference call earlier today, here is a
> rough agenda for our 2-hour session in Anaheim.
>
> ***
>
> 0. Administrivia
I don't buy the argument that future security should be modelled after
the broken security we have today.
EHL
On Mar 4, 2010, at 10:55, "David Recordon" wrote:
> Copying over a discussion from comments on my blog...
> http://daveman692.livejournal.com/349384.html?thread=1117640#t1117640
>
> M
On Thu, Mar 4, 2010 at 10:55 AM, David Recordon wrote:
> Mart Atkins:
>> Doing short-lived access tokens in cleartext is not really any different to
>> how most sites
>> handle sessions today. A short-lived access token isn't much different than
>> a session key.
Yep. This is not an accident,
Based on our discussion in the conference call earlier today, here is a
rough agenda for our 2-hour session in Anaheim.
***
0. Administrivia (chairs, 5 mins)
1. OAuth intro (David Recordon, 15 mins)
2. WRAP (Dick Hardt, 15 mins)
3. Mixed approach (Eran Hammer-Lahav / David Recordon, 25 mins)
On Thu, Mar 4, 2010 at 12:00 PM, Blaine Cook wrote:
> Let's try to outline the use cases! Please reply here, so that we have
> a good idea of what they are as we move towards the Anaheim WG.
Luke summarized Facebook's use cases for signatures earlier:
http://www.ietf.org/mail-archive/web/oauth/c
On 2010-03-04, at 12:27 PM, Igor Faynberg wrote:
>
>
> Blaine Cook wrote:
>> - Why are signatures needed?
>>
> 1) For authentication
>
> 2) For ensuring integrity
>
> 3) For non-repudiation
Those are the general capabilities of signatures. "Why does the Client need to
sign the request / t
As requested on today's call, here's a description of the places where UMA
seems to need "more" than what the WRAP paradigm offers (both profiling and
extending), based on the proposal at:
http://kantarainitiative.org/confluence/display/~xmlg...@idp.protectnetwork.org/Proposal+for+UMA+1.0+Core+P
o:amor...@amsl.com>
> *Subject: **Your recording "OAUTH WG Virtual Meeting-20100304 1905-1"
> is available for viewing*
> *Reply-To: *messen...@webex.com <mailto:messen...@webex.com>
>
> IETF Secretariat,
>
> Your recording is now available on the WebEx
Peter,
Many thanks for your leadership! It was an excellent idea to organize
the meetings, but it has been a feat in itself actually to run them--and
run them successfully, at that!
Igor
Peter Saint-Andre wrote:
I'd like to again thank everyone who participated in the call that just
ended.
Blaine Cook wrote:
- Why are signatures needed?
1) For authentication
2) For ensuring integrity
3) For non-repudiation
- What do signatures need to protect?
They protect against
1) Fraudulent access (which, in absence of proper mechanisms, may not
even even be considered legally fr
I'd like to again thank everyone who participated in the call that just
ended. Rough notes are here:
http://etherpad.com/RZilFVrF2Q
Those notes will be updated once we have the audio recording.
Peter
--
Peter Saint-Andre
https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Sign
One of the things that's been a primary focus of both today's WG call
and last week's call is what are the specific use cases for
signatures?
- Why are signatures needed?
- What do signatures need to protect?
Let's try to outline the use cases! Please reply here, so that we have
a good idea of wh
Folks may be interested to see the following experiment being performed in the
UMA group:
http://kantarainitiative.org/confluence/display/~xmlg...@idp.protectnetwork.org/Proposal+for+UMA+1.0+Core+Protocol
This is a proposal for a spec that uses a WRAP-friendly approach to solving our
use cases.
Copying over a discussion from comments on my blog...
http://daveman692.livejournal.com/349384.html?thread=1117640#t1117640
Mart Atkins:
> Doing short-lived access tokens in cleartext is not really any different to
> how most sites
> handle sessions today. A short-lived access token isn't much di
Just a reminder that we'll hold a conference call in about 50 minutes.
Logistics and agenda here:
http://www.ietf.org/mail-archive/web/oauth/current/msg01222.html
http://www.ietf.org/mail-archive/web/oauth/current/msg01221.html
Talk to you soon!
Peter
--
Peter Saint-Andre
https://stpeter.im/
27 matches
Mail list logo
