On Apr 27, 10:11 am, Brian Eaton <bea...@google.com> wrote:
> On Sun, Apr 26, 2009 at 6:29 PM, Peter Keane <pjke...@gmail.com> wrote:
> >> b) that's what the unpredictable callback token is for.
>
> > Does that demonstrate it is the same user? I believe it makes it
> > highly likely, but not "verifyable" (in standard authentication terms.
> > Nothing is 100% verifyable).
>
> The request token provides linkage from the consumer to the service
> provider. The callback token provides linkage in the opposite
> direction. If the consumer proves possession of a matching request
> token and callback token, that's excellent evidence that no session
> fixation attack is occurring.
Hi Brian-
Certainly, it is excellent evidence. But I worry about not having a
verifiable linkage. The linkages that OAuth leverage are as follows:
1. The consumer and the SP have a shared "out-of-band" secret
(consumer pre-registration). That allows the consumer to tell the SP
"hey it's verifiably me" (by way of the request token).
2. The user and the SP also have a shared "out-of-band" arrangement
-- SP authentication -- that verifies the user is verifiably who they
say they are.
Note that those are both based on "out-of-band" arrangements. There
is actually no link to tie the user to the consumer, except for
tokens, parameters, etc., but those are all "in-band" and so are *not*
verifiable. That last missing link is necessary for verifiable
identification of the u...@consumer. A simple PIN or somesuch would
do it.
I'm happy with OAuth for the typical sorts of social networking,
photo-sharing, etc. use cases, and I use it for that. But I'd very
much like to be able recommend it for more highly secure scenarios
here on campus (I work in higher ed) that might involve confidential
records. For OAuth to replace or be used in conjunction with the
cuurent campus SSO and federated systems like Shibboleth, we would
really need that extra level of verifiable security.
--peter
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
