<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes I think it warrants a mention in security considerations.<div><br></div><div>We are making good progress on libraries and test deployments. Our interop at the Summit in California was a good start.</div><div><br></div><div>Deploying this stuff always teaches you a lot.</div><div><br></div><div>John<br><div><br></div><div><br><div><div>On 2011-09-29, at 4:46 PM, Fulup Ar Foll wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<div text="#000000" bgcolor="#ffffff">
John,<br>
<br>
I do not disagree with your comment, and the "keep it simple and
interoperable" should remain the end goal. <br>
<br>
In the case of external SSL accelerators some form of "best practice
deployment guideline" is probably enough. The only important thing
is to make sure that real life deployment scenario are taken in
account and implementable.<br>
<br>
Fulup<br>
<br>
On 29/09/2011 18:51, John Bradley wrote:
<blockquote cite="mid:51234066-A229-443C-9766-8CCCB3D41D4B@ve7jtb.com" type="cite">Hi Fulup,
<div><br>
</div>
<div>That is true. However if there is a vulnerability between
the IdP's SSL accelerators and the web server then they have
real problems.</div>
<div><br>
</div>
<div>I am guessing at that point the attacker can just sniff the
response. It adds lots of complexity in maintaining the secrets
and signing the request elements (a problem for OAuth 1.1) for a
small security gain.</div>
<div><br>
</div>
<div>I also have it from a number of large providers that they
will not support MAC tokens, due to bad interoperability
experiences.</div>
<div><br>
</div>
<div>If we do add MAC token support it would need to be optional.
That reduces the value as well.</div>
<div><br>
</div>
<div>I do think there is value in knowing who is sending the
request. That however is not part of the MAC token profile,
other than perhaps as theatre. </div>
<div><br>
</div>
<div>I do think more work needs to go into OAuth after the current
spec is finalized, If something that openID Connect can take
advantage of comes out, then we should adopt it.</div>
<div><br>
</div>
<div>However I am still unconvinced MAC tokens add any real value
to Connect.</div>
<div><br>
</div>
<div>It isn't like I have never been wrong about this stuff so I
am interested in counter ideas.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
</div>
<div><br>
<div>
<div>On 2011-09-29, at 12:56 PM, Fulup Ar Foll wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<div text="#000000" bgcolor="#ffffff"> John,<br>
<br>
While I agree with you on the principal, we cannot ignore
that many telco grade sites brake SSL with dedicated
hardware before web servers, in which case both
SSL+Signing can make sense. This being said it would be
again "keep it simple" principle. <br>
<br>
Fulup<br>
<br>
On 29/09/2011 17:07, John Bradley wrote:
<blockquote cite="mid:149FFA12-5473-44C2-B243-EB88679ADA17@ve7jtb.com" type="cite">
<pre wrap="">Yes but as that is a direct request that should be over SSL in Connect, signing is not adding anything other than complexity.
John
On 2011-09-29, at 11:59 AM, Justin Richer wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Since most stuff in Connect is packed inside of the token, yes, I agree.
But MAC does allow for signing of all of the parameters of an HTTP
request with a per-token secret.
-- justin
On Thu, 2011-09-29 at 10:00 -0400, Nat Sakimura wrote:
</pre>
<blockquote type="cite">
<pre wrap="">As far as I understand, it was both for the simplivity and
interoperability. Besides, MAC does not add much in termd og
security.
2011/09/29 22:40 "Richer, Justin P." <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org"><jricher@mitre.org></a>:
</pre>
<blockquote type="cite">
<pre wrap="">Sorry if this has been covered before, but am I missing why MAC or
</pre>
</blockquote>
<pre wrap="">some other OAuth2-bound token can't be used in OpenID Connect? Is it
for the sake of simplicity ("just pick one") or interoperability ("...
and stick with it"), or is something else strongly binding to the
Bearer spec?
</pre>
<blockquote type="cite">
<pre wrap="">-- Justin
________________________________________
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
</pre>
</blockquote>
<pre wrap="">[<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>] On Behalf Of Anthony
Nadalin [<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>]
</pre>
<blockquote type="cite">
<pre wrap="">Sent: Wednesday, September 28, 2011 10:51 PM
To: Nat Sakimura
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>
Subject: Re: [Openid-specs-ab] UserInfo Request
I think it’s confusing the way it reads as it does not give me an
</pre>
</blockquote>
<pre wrap="">option to use the OAUTH Core, so how would I know????
</pre>
<blockquote type="cite">
<pre wrap="">From: Nat Sakimura [<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:sakimura@gmail.com">mailto:sakimura@gmail.com</a>]
Sent: Wednesday, September 28, 2011 5:21 PM
To: Anthony Nadalin
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>
Subject: Re: [Openid-specs-ab] UserInfo Request
I think it does. OAuth allows access_token to be used in HTTP
</pre>
</blockquote>
<pre wrap="">header, GET param, and POST param (body), and the text goes "Access
tokens sent in the authorization header must be Bearer
tokens<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bearer"><http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bearer></a>[OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it SHOULD send the access token in the authorization header." so it is saying:
</pre>
<blockquote type="cite">
<pre wrap="">1. If the access_token is sent in the HTTP header, it has to use the
</pre>
</blockquote>
<pre wrap="">Bearer tokens scheme.
</pre>
<blockquote type="cite">
<pre wrap="">2. If the request is GET, it has to use HTTP header to send the
</pre>
</blockquote>
<pre wrap="">access_token.
</pre>
<blockquote type="cite">
<pre wrap="">(3. Implicitly, because OAuth allows - do as the OAuth says for the
</pre>
</blockquote>
<pre wrap="">POST, i.e., Body.)
</pre>
<blockquote type="cite">
<pre wrap="">Are you suggesting that we should add 3. so that people does not
</pre>
</blockquote>
<pre wrap="">have to read OAuth.2.0.Bearer?
</pre>
<blockquote type="cite">
<pre wrap="">=nat
On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin
</pre>
</blockquote>
<pre wrap=""><<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a><a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:tonynad@microsoft.com"><mailto:tonynad@microsoft.com></a>> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">In <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://openid.net/specs/openid-connect-standard-1_0.html#anchor19">http://openid.net/specs/openid-connect-standard-1_0.html#anchor19</a>
</pre>
</blockquote>
<pre wrap="">it does not call out the use of the body as an option for the access
token, since access tokens can get large there may be issues using
only the header, the bearer token specification allows usage of the
body, so should the openid standard specification.
</pre>
<blockquote type="cite">
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
</pre>
</blockquote>
<pre wrap=""><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Openid-specs-ab@lists.openid.net"><mailto:Openid-specs-ab@lists.openid.net></a>
</pre>
<blockquote type="cite">
<pre wrap=""><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://nat.sakimura.org/">http://nat.sakimura.org/</a>
@_nat_en
</pre>
</blockquote>
</blockquote>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tel: 0950.770.585
Mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:fulup@fridu.net">fulup@fridu.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.fridu.org/fulup">http://www.fridu.org/fulup</a>
</pre>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tel: 0950.770.585
Mail: <a class="moz-txt-link-abbreviated" href="mailto:fulup@fridu.net">fulup@fridu.net</a>
<a class="moz-txt-link-freetext" href="http://www.fridu.org/fulup">http://www.fridu.org/fulup</a>
</pre>
</div>
</blockquote></div><br></div></div></body></html>