Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-06 Thread Sergey Beryozkin
o-way TLS Cheers, Sergey *From:* Prabath Siriwardena *To:* William Mills *Cc:* L. Preston Sego III ; "oauth@ietf.org" *Sent:* Wednesday, February 6, 2013 8:23 AM *Subject:* Re: [OAUTH-WG] I'm con

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-06 Thread Prabath Siriwardena
Preston Sego III ; "oauth@ietf.org" < > oauth@ietf.org> > *Sent:* Wednesday, February 6, 2013 8:23 AM > *Subject:* Re: [OAUTH-WG] I'm concerned about how the sniffability of > oauth2 requests > > > > On Mon, Feb 4, 2013 at 9:57 PM, William Mills wrote: >

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-06 Thread William Mills
owser? From: Prabath Siriwardena To: William Mills Cc: L. Preston Sego III ; "oauth@ietf.org" Sent: Wednesday, February 6, 2013 8:23 AM Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests On Mon, Feb 4, 2013 at 9:57 PM, William Mill

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-06 Thread Prabath Siriwardena
On Mon, Feb 4, 2013 at 9:57 PM, William Mills wrote: > There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, and the "Holder Of Key" type tokens. > If someone can use sslstrip then even MAC is not safe - since MAC key needs to be transferred over

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-04 Thread Hannes Tschofenig
: oauth@ietf.org > Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 > requests > > On 04/02/13 16:27, William Mills wrote: >> There are two efforts at signed token types: MAC which is still a >> possibility if we wake up and do it, > > I&

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-04 Thread Lewis Adam-CAL022
@ietf.org Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests On 04/02/13 16:27, William Mills wrote: > There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, I'd rephrase it slightly differently, it

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-04 Thread Sergey Beryozkin
On 04/02/13 16:27, William Mills wrote: There are two efforts at signed token types: MAC which is still a possibility if we wake up and do it, I'd rephrase it slightly differently, it is a possibility right now, OAuth2 supports custom tokens, the fact that OAuth2 may not formally approve MAC

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-04 Thread Prateek Mishra
Can you explain how SSLstrip could be used to defeat the OAuth flows? Isn't it dependent on web pages with non-HTTPs links? Which step in the OAuth exchanges would be vulnerable? BTW, there is a threats analysis document that discusses a variety of attacks and countermeasures - http://datat

Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

2013-02-04 Thread William Mills
There are two efforts at signed token types: MAC which is still a possibility if we wake up and do it, and the "Holder Of Key" type tokens. There are a lot of folks that agree with you. From: L. Preston Sego III To: oauth@ietf.org Sent: Friday, February 1, 20