Re: [OAUTH-WG] Symmetric Proof of Possession for the OAuth Authorization Code Grant: comments
Brian Campbell <bcampbell@pingidentity.com> Tue, 02 September 2014 17:50 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BE81A068E for <oauth@ietfa.amsl.com>; Tue, 2 Sep 2014 10:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-vug0wFuAYW for <oauth@ietfa.amsl.com>; Tue, 2 Sep 2014 10:50:00 -0700 (PDT)
Received: from na3sys009aog134.obsmtp.com (na3sys009aog134.obsmtp.com [74.125.149.83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879E61A0243 for <oauth@ietf.org>; Tue, 2 Sep 2014 10:50:00 -0700 (PDT)
Received: from mail-ig0-f180.google.com ([209.85.213.180]) (using TLSv1) by na3sys009aob134.postini.com ([74.125.148.12]) with SMTP ID DSNKVAYDR7YB56cSsLHYFQte6MIzfe4OdQ12@postini.com; Tue, 02 Sep 2014 10:50:00 PDT
Received: by mail-ig0-f180.google.com with SMTP id hn18so7683023igb.7 for <oauth@ietf.org>; Tue, 02 Sep 2014 10:49:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=hPep0joVfvb/EJJsqRIgYeCA5JQ6giOF+6c38TD/umM=; b=Y3IsBIWIZTk4uVbgtPF/PcKtNTfPpQEFB6gPFpC0/Z4d1ZUlbZdYMSbCpF5GPQ6tR9 oiorJPbMc9l3wMCGlvReVEQ7S/fJF6vSs7a7xkvZhmbRIg7fQzqJjmgd2H+Z9SGTpJ+Y LQoFYQzBzsSOe3v4Yq6D6uTC7I+ItnFvovvHj28PqFK3G6EAOzg2UkIeGTgS+M0n9eHJ svFTXsS9NQ9IVzF5JiMF9RBvgUUxk0Qpc4wdQ8NsGHZBUii5v0yz88qoBPGxwAXjhGab 0LMa2c2BDGfQJOg/Mji3493isM3eopGYYRk3Y3LRXPifDjP8X4k0dW+3V7uKxcXfSBdy lUsg==
X-Gm-Message-State: ALoCoQk+Adg7PHmBSMcK6dJiHcTRtONjbMklIIOI7SoD/xFjAp1O/gb71TMDSSUHAAxjc1HE6uaOarZ7OwHxAXSFwcx/78PVjPdVrQJMksBAnrGhsTwVPz/1AqYGlcjsmOx4I9D8MwRx
X-Received: by 10.42.4.136 with SMTP id 8mr9366245ics.57.1409680199559; Tue, 02 Sep 2014 10:49:59 -0700 (PDT)
X-Received: by 10.42.4.136 with SMTP id 8mr9366222ics.57.1409680199274; Tue, 02 Sep 2014 10:49:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.108.135 with HTTP; Tue, 2 Sep 2014 10:49:29 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E127C7041D56@WSMSG3153V.srv.dir.telstra.com>
References: <53FCE0D7.5010109@gmx.net> <53FDFCFF.8010606@gmx.net> <29CFEF98-9B5F-418D-A799-DD0B536B8090@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E127C7041D56@WSMSG3153V.srv.dir.telstra.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 02 Sep 2014 11:49:29 -0600
Message-ID: <CA+k3eCQwecLoMk6YwkmqppDCW318jQ8ONUJc5hnZbTs39a=aZg@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="001a1134476c866ad9050218bf12"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RX4j9gXW5aHqfFSoC3OgGQjReQY
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Symmetric Proof of Possession for the OAuth Authorization Code Grant: comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 17:50:03 -0000
On #1, I know some have pushed for having the transformation options so I don't know if dropping it will work. But, if not removed entirely, the transformation stuff could definitely be deemphasized in favor of what will be the most common case of the client sending a random string value on the authorization request and then sending the same value on the token request. On #2, there are already implementations and deployments of this so I'd request that the parameter names not be changed. On #3, I agree that the title is confusing/misleading. Perhaps, "Request Correlation for the OAuth Authorization Code Grant" or something like that? On #4, on one hand you are right. On the other hand, this is the OAuth WG and this draft is addressing a very specific security issue in OAuth deployments. Having it be OAuth-centric seems right given the circumstances. On Thu, Aug 28, 2014 at 11:03 PM, Manger, James < James.H.Manger@team.telstra.com> wrote: > Couple of comments on draft-ietf-oauth-spop-00: > > The draft defines a nice little mechanism to link two requests: one from > app-to-browser-to-server, the other from app-to-server. > > 1. > The spec defines the "bearer token" version of linking the requests: pick > a random value and send it in both requests. The spec repeatedly hints that > other "transformations" are possible (and even mentions one in a note), but > it doesn't define enough to make these other ones interoperable. > I suggest just specifying the bearer version and dropping all the other > text. > If we want another transform standardized later then we write another spec > (which can use its own field names). > > 2. > Linking requests is orthogonal to whether or not the requests include a > field called "code". I suggest changing the labels "code_challenge" and > "code_verifier" to drop the "code" reference. Perhaps replace both with > "session_id" ("sid" for short?). > > 3. > The spec is titled "Symmetric Proof of Possession ..." but defines a > bearer mechanism, which you cannot really classify as proof-of-possession. > Suggestion: change the title. > > 4. > The text is totally OAuth-centric, though the mechanism is not really > limited to this case. It would be much nicer to describe the mechanism more > generically (eg app running on a user's computer wanting to link two > requests made to a server over different channels). The abstract (and the > start of the introduction) should be comprehensible without having to know > what the phrase "OAuth 2.0 public client" means. There would still be some > OAuth-specific sections describing how the mechanism applies to the code > flow (and to register a field in the IANA OAuth registry). > > > -- > James Manger > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Working Group Last Call on "Symmetric … Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Phil Hunt
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… John Bradley
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Richer, Justin P.
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… John Bradley
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Nat Sakimura
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Mike Jones
- [OAUTH-WG] Symmetric Proof of Possession for the … Manger, James
- Re: [OAUTH-WG] Working Group Last Call on "Symmet… Nat Sakimura
- Re: [OAUTH-WG] Symmetric Proof of Possession for … Brian Campbell
- Re: [OAUTH-WG] Symmetric Proof of Possession for … Nat Sakimura
- Re: [OAUTH-WG] Symmetric Proof of Possession for … John Bradley
- Re: [OAUTH-WG] Symmetric Proof of Possession for … Nat Sakimura