Here is some late input to this thread. The UMA group had a F2F meeting on Wednesday, for which draft minutes are written up here:
http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2010-03-10 I had taken an action from the last OAuth telecon to collect UMA use cases that related to the "signature question(s)". I have reproduced the various meeting notes on this point below. In essence, the UMA group continued to agree that message signing should remain an option, even with SSL in the picture, for authentication and auditing reasons. Note that Tom Holodnik of Intuit took away an action item to formally write up and submit the small-business UMA scenarios he's been referring to in our ongoing work (hinted at below), so we expect those soon. The health-data scenario at http://kantarainitiative.org/confluence/display/uma/hdata_scenario is also likely to have higher security and service-authentication requirements that could end up demanding message signing. Other submitted scenarios, so far, seem to have security requirements that are less stringent. (I'll send another message in a moment on our discussion of the token validation question.) Eve ==== Signing: Using today's WRAP, an UMA authorizing user can't be absolutely sure (based on a signed message) who accessed his protected resource, other than the client's IP address. It's only indirectly known by the AM, and that's only if a user policy made the AM demand some claim from the requester, and even so the authentication is at a "higher" level of the stack. So wherever there's a use case that requires that the access token be bound to the requester who wields it, we need signatures. This nets out to the requesting party (person or company seeking access) having an incentive to say "It's really me accessing this", such that it mitigates the risk that the requester (client) will hand off both the access token and the signing secret to a third party. Online banking might rise to this level. But if you install TurboTax on your PC, is it likelier that you the requesting user would sign something that gets bound to your TurboTax instance, or sign something that gets handed to your TurboTax instance as a bearer token that they use on your behalf without the binding? TomH feels that, yes, it's quite possible for this to be a value-add provided by something like TurboTax as a "trusted computing" offering. It was observed that the argument in the OAuth community about token size seems to be related to token signing, thusly: those who are willing to require the Authorization Server to be stateless need large meaningful tokens and want them signed; those who can use a stateful Authorization Server can use small opaque tokens that don't need signing. On 11 Mar 2010, at 9:56 PM, Torsten Lodderstedt wrote: > I volunteer to write it up. >> <hat type='chair'/> >> >> On 3/4/10 1:00 PM, Blaine Cook wrote: >> >>> One of the things that's been a primary focus of both today's WG call >>> and last week's call is what are the specific use cases for >>> signatures? >>> >>> - Why are signatures needed? >>> - What do signatures need to protect? >>> >>> Let's try to outline the use cases! Please reply here, so that we have >>> a good idea of what they are as we move towards the Anaheim WG. >>> >> This was a valuable thread. Perhaps someone could write up a summary of >> the points raised, either on the list or at the wiki? >> >> Peter Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
