Hardt;
"oauth@ietf.org"
Sent: Thursday, August 9, 2012 11:26 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question was asked about the future of the MAC
spec due to it no linger having a editor.
The Chair and AD indicated a desire to ha
quest,
and can provide replay protection.
-bill
From: John Bradley
To: William Mills
Cc: Dick Hardt; "oauth@ietf.org"
Sent: Thursday, August 9, 2012 11:26 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question was asked about the future of the
On 08/10/2012 12:48 PM, Dick Hardt wrote:
On Aug 10, 2012, at 9:28 AM, Justin Richer wrote:
On 08/09/2012 06:47 PM, Dick Hardt wrote:
On Aug 9, 2012, at 1:08 PM, Justin Richer wrote:
With MAC, you should be able to re-use about 80-90% of your
existing codepath that's in place for Bearer, si
Hardt
To: Rob Richards
Cc: "oauth@ietf.org"
Sent: Friday, August 10, 2012 9:18 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
As an implementor, I would pick a signed JWT over OAuth 1.0A. Just saying.
Given that, there is also a clear need for signing an HTTP(S) r
On Aug 10, 2012, at 9:28 AM, Justin Richer wrote:
> On 08/09/2012 06:47 PM, Dick Hardt wrote:
>>
>> On Aug 9, 2012, at 1:08 PM, Justin Richer wrote:
>>
>>> With MAC, you should be able to re-use about 80-90% of your existing
>>> codepath that's in place for Bearer, simplifying the setup below.
t;>>> OK, I'll play and start documenting the use cases.
>>>>>>
>>>>>> Use case #1: Secure authentication in plain text connections:
>>>>>>
>>>>>> Some applications need a secure form authorization, but do
org>" <mailto:oauth@ietf.org>>
*Sent:* Thursday, August 9, 2012 10:27 Aa
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
On Aug 9, 2012, at 9:52 AM, William Mills wrote:
I find the idea of starting from scratch frustrating. MAC solves
a set of specific problem
n on all or part of an HTTP request,
and can provide replay protection.
-bill
From: John Bradley
To: William Mills
Cc: Dick Hardt ; "oauth@ietf.org"
Sent: Thursday, August 9, 2012 11:26 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question w
n, but do not want or
>>>> need the overhead of encrypted connections. HTTP cookies and their ilk
>>>> are replayable credentials and do not satisfy this need. the MAC scheme
>>>> using signed HTTP authorization credentials offer the capability to
>>&g
're gonna improve on the current PKI that is SSL certificates we should
>do that separately.
>
>
>
>
> From: John Bradley
>To: William Mills
>Cc: David Waite ; "oauth@ietf.org"
>
>Sent: Thursday, August 9, 2012 8:4
I that is SSL certificates we should
> do that separately.
>
> From: John Bradley
> To: William Mills
> Cc: David Waite ; "oauth@ietf.org"
>
> Sent: Thursday, August 9, 2012 8:47 PM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
> Bill,
Hardt ; "oauth@ietf.org"
Sent: Thursday, August 9, 2012 11:26 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question was asked about the future of the MAC spec due to it
no linger having a editor.
The Chair and AD indicated a desire to have a d
From: Hannes Tschofenig
To: William Mills
Cc: Hannes Tschofenig ; John Bradley
; "oauth@ietf.org"
Sent: Friday, August 10, 2012 12:01 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
Hi Bill,
thanks for the feedback. Le
n provide replay protection.
>>
>> -bill
>>
>> From: John Bradley
>> To: William Mills
>> Cc: Dick Hardt ; "oauth@ietf.org"
>> Sent: Thursday, August 9, 2012 11:26 AM
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac
t;>
To: William Mills mailto:wmills_92...@yahoo.com>>
Cc: David Waite
mailto:da...@alkaline-solutions.com>>;
"oauth@ietf.org<mailto:oauth@ietf.org>" mailto:oauth@ietf.org>>
Sent: Thursday, August 9, 2012 8:47 PM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-ht
r ilk are
>>> replayable credentials and do not satisfy this need. the MAC scheme using
>>> signed HTTP authorization credentials offer the capability to securely
>>> authorize a transaction, can offer integrity protection on all or part of
>>> an HTTP reques
on the current PKI that is SSL certificates we should do
that separately.
From: John Bradley
To: William Mills
Cc: David Waite ; "oauth@ietf.org"
Sent: Thursday, August 9, 2012 8:47 PM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-ma
ty to securely
>> authorize a transaction, can offer integrity protection on all or part of an
>> HTTP request, and can provide replay protection.
>>
>> -bill
>>
>> From: John Bradley
>> To: William Mills
>> Cc: Dick Hardt ; "oauth@ietf.org&q
ion.
>
> -bill
>
> From: John Bradley
> To: William Mills
> Cc: Dick Hardt ; "oauth@ietf.org"
> Sent: Thursday, August 9, 2012 11:26 AM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
> In Vancouver the question was asked about
t; To: oauth@ietf.org
> Sent: Thursday, August 9, 2012 4:02 PM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
> For #1:
> Does the use of plain HTTP to talk to protected resources provide significant
> value when using an AS that requires HTTPS? Or am I misunder
AS would still be required to be HTTPS as per the spec.
From: David Waite
To: oauth@ietf.org
Sent: Thursday, August 9, 2012 4:02 PM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
For #1:
Does the use of plain HTTP to talk to protected
er the capability to securely
>> authorize a transaction, can offer integrity protection on all or part of an
>> HTTP request, and can provide replay protection.
>>
>> -bill
>>
>> From: John Bradley
>> To: William Mills
>> Cc: Dick Hardt ; "oauth@
and MAC.
>>>
>>> From: Dick Hardt
>>> To: William Mills
>>> Cc: "oauth@ietf.org"
>>> Sent: Thursday, August 9, 2012 10:27 Aa
>>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>>
>>>
>>&g
t;> Bearer and MAC.
>>
>> From: Dick Hardt
>> To: William Mills
>> Cc: "oauth@ietf.org"
>> Sent: Thursday, August 9, 2012 10:27 Aa
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>
>>
>> On Aug 9, 2012, at
ietf.org"
>Sent: Thursday, August 9, 2012 10:27 Aa
>Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
>
>
>
>On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>
>I find the idea of starting from scratch frustrating. MAC solves a set of
>spe
tf.org"
*Sent:* Thursday, August 9, 2012 11:26 AM
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question was asked about the future of the MAC spec
due to it no linger having a editor.
The Chair and AD indicated a desire to have a document on the
u
---
*From:* Dick Hardt mailto:dick.ha...@gmail.com>>
*To:* William Mills <mailto:wmills_92...@yahoo.com>>
*Cc:* "oauth@ietf.org <mailto:oauth@ietf.org>" <mailto:oauth@ietf.org>>
*Sent:* Thursday, August 9, 2012 10:27 Aa
*Subject:* Re: [OAUT
t there for OAuth 1.0a. MAC fits in to the OAuth 2 auth model
> and will provide for a single codepath for sites that want to use both Bearer
> and MAC.
>
> From: Dick Hardt
> To: William Mills
> Cc: "oauth@ietf.org"
> Sent: Thursday, August 9, 2012 10:27 Aa
play
protection.
-bill
*From:* John Bradley
*To:* William Mills
*Cc:* Dick Hardt ; "oauth@ietf.org"
*Sent:* Thursday, August 9, 2012 11:26 AM
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the que
*From:* Dick Hardt
*To:* William Mills
*Cc:* "oauth@ietf.org"
*Sent:* Thursday, August 9, 2012 10:27 AM
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
On Aug 9, 2012, at 9:52 AM, William Mills wrote:
I find the idea of starting from
John Bradley
To: William Mills
Cc: Dick Hardt ; "oauth@ietf.org"
Sent: Thursday, August 9, 2012 11:26 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
In Vancouver the question was asked about the future of the MAC spec due to it
no linger having a editor.
T
, 2012 10:27 AM
*Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
On Aug 9, 2012, at 9:52 AM, William Mills wrote:
I find the idea of starting from scratch frustrating. MAC solves a
set of specific problems and has a well defined use case. It's
symmetric key based which does
nd MAC.
>>
>> From: Dick Hardt
>> To: William Mills
>> Cc: "oauth@ietf.org"
>> Sent: Thursday, August 9, 2012 10:27 AM
>> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>>
>>
>> On Aug 9, 2012, at 9:52 AM, Wi
AM
> Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
>
> On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>
>> I find the idea of starting from scratch frustrating. MAC solves a set of
>> specific problems and has a well defined use case. It&
> *From:* Dick Hardt
> *To:* William Mills
> *Cc:* "oauth@ietf.org"
> *Sent:* Thursday, August 9, 2012 10:27 AM
>
> *Subject:* Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
>
>
> On Aug 9, 2012, at 9:52 AM, William Mills wrote:
>
>
: William Mills
Cc: "oauth@ietf.org"
Sent: Thursday, August 9, 2012 10:27 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
On Aug 9, 2012, at 9:52 AM, William Mills wrote:
I find the idea of starting from scratch frustrating. MAC solves a set of
specific proble
On Aug 9, 2012, at 9:52 AM, William Mills wrote:
> I find the idea of starting from scratch frustrating. MAC solves a set of
> specific problems and has a well defined use case. It's symmetric key based
> which doesn't work for some folks, and the question is do we try to develop
> something
I find the idea of starting from scratch frustrating. MAC solves a set of
specific problems and has a well defined use case. It's symmetric key based
which doesn't work for some folks, and the question is do we try to develop
something that supports both PK and SK, or finish the SK use case an
OK, that's fair. I just don't want process to get in the way of progress.
-- Justin
On 08/08/2012 05:21 PM, John Bradley wrote:
We did discuss per message signing in Vancouver.
The idea is to get agreement on the threats we are trying to mitigate, then
decide on the mechanisms.
Per message
We did discuss per message signing in Vancouver.
The idea is to get agreement on the threats we are trying to mitigate, then
decide on the mechanisms.
Per message signing will likely still be one of the mechanisms.
The chair will need to decide if we start fresh and copy the parts of MAC that
I believe that there's value in per-message signing completely apart
from the channel level encryption. MAC tokens let us do this with a
per-token secret using a pattern very well established in OAuth1. I'm
sorry that I wasn't at the Vancouver meeting to voice this opinion, for
what it's worth.
I have promised to put together a summary of the discussion presented in
vancouver meeting.
Unfortunately it may take a few weeks as i am away for another week and a half.
Phil
On 2012-08-08, at 9:24, Hannes Tschofenig wrote:
> Hi Justas,
>
> thanks for sending your feedback to the list.
Hi Justas,
thanks for sending your feedback to the list.
There is indeed currently no editor for the document. That is, however, not the
problem.
The problem, as discussed on the list and also at the last IETF meeting, is
that we do not yet know what type of security properties we want. The
Justin,
Count me in to help revive this and get it done.
-bill
From: Justin Richer
To: oauth@ietf.org
Sent: Wednesday, August 8, 2012 8:08 AM
Subject: Re: [OAUTH-WG] mistake in draft-ietf-oauth-v2-http-mac-01
Thanks Justas. The MAC document is currently
Thanks Justas. The MAC document is currently without an editor within
the WG, so this is the best place to record the error.
A wider note to the WG: I wouldn't mind taking over editorship of the
MAC token document so long as I could get a co-editor with enough
cryptographic expertise to make s
45 matches
Mail list logo
