Key rotation I understand. Forcing expiry on every reissue seems extreme
though.
________________________________
From: Brian Eaton <bea...@google.com>
To: William J. Mills <wmi...@yahoo-inc.com>
Cc: Torsten Lodderstedt <tors...@lodderstedt.net>; Eran Hammer-Lahav
<e...@hueniverse.com>; OAuth WG <oauth@ietf.org>
Sent: Tuesday, July 12, 2011 9:32 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations
On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <wmi...@yahoo-inc.com> wrote:
> Why would you re-issue a refresh token every usage? What's the use case
> where this makes sense?
It's key rotation built into the protocol. Even if a refresh token is
stolen, it's going to become useless to the attacker very quickly.
My main concern with rotating refresh tokens with every use is that it
can cause problems with distributed client apps; they have to keep the
refresh token in sync, and it adds complexity. But for desktop and
mobile apps it's quite a good idea.
(You can see a similar design in how Active Directory manages kerberos
machine keys. They took a slightly different approach, in that the
client machines phone home to change their keys, but it provides
similar benefits.)
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
