In working on the SASL mechanism spec for OAuth we have to deal with Channel
Binding. Sparing you the gory details there I believe that the right thing to
do is to add the channel binding information into the tunneled HTTP/OAuth
authentication. For those OAuth profiles like MAC and SAML that have shared
secrets and signatures the channel binding information should be added into the
signed payload. Should the deinition of this be in the SASL mechanism spec
(updating the OAuth profile behavior) or is the right place for this to have
each OAuth profile define how channel binding is carried individually?
Using MAC as a strawman, the only convenient placess to add this payload are
the body and as an additional query parameter. Both of these have drawbacks,
of the two I nominally prefer defining a new query parameter for this case.
The usage in SASL is pretty limited at this time, so query parameter will work
just fine.
Given OAuth is primarily defined in an HTTP context I don't think I'm stepping
on anything because I doubt anyone else is dealing with Channel Binding.
Mechanisms that have a shared secret and signing could actually use CB to
guarantee no MITM in an SSL context, which some would argue has significant
value.
If anyone has strong opinions on this topic please let me know.
Thanks,
-bill
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
