subject:"\[OAUTH\-WG\] Security Considerations \- Access Tokens"

[OAUTH-WG] Security Considerations - Access Tokens

2011-10-30 Thread Marco De Nadai

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there
is this statment:

Access token (as well as any access token type-specific attributes) MUST be
kept confidential in transit and storage, and only shared among the
authorization server, the resource servers the access token is valid for,
and the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access
Authentication, I can request a resource with Access Token sent in clear.
This invalidates the "Access token (as well as any access token
type-specific attributes) MUST be kept confidential in transit and storage".

Is it my error?

-- 
*Marco De Nadai*
http://www.marcodena.it/
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2011-10-31 Thread Dan Taflin

To be consistent, section 10.3 should probably specify that the requirement of 
confidentiality in transit applies specifically to BEARER tokens.

I would like to see this relaxed further though, as I argued last week, to 
accommodate situations where a token is scoped to a limited set of data that 
isn't particularly sensitive. My example was image search. It seems too 
restrictive to require TLS for an operation that does nothing more than what 
anyone could do by pointing a browser at our web site. Http cookies can be 
specified as either requiring or not requiring secure transport; it seems 
reasonable to allow the same option for bearer tokens, which fulfill an 
analogous role.

Dan

From: Marco De Nadai [mailto:denad...@gmail.com]
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is 
this statment:

Access token (as well as any access token type-specific attributes) MUST be 
kept confidential in transit and storage, and only shared among the 
authorization server, the resource servers the access token is valid for, and 
the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access 
Authentication, I can request a resource with Access Token sent in clear. This 
invalidates the "Access token (as well as any access token type-specific 
attributes) MUST be kept confidential in transit and storage".

Is it my error?

--
Marco De Nadai
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2011-10-31 Thread Marco De Nadai

I think it's wrong to specify in the OAuth GENERAL security consideration,
a consideration only for a specific type of token.

2011/10/31 Dan Taflin 

>  To be consistent, section 10.3 should probably specify that the
> requirement of confidentiality in transit applies specifically to BEARER
> tokens.
>
> ** **
>
> I would like to see this relaxed further though, as I argued last week, to
> accommodate situations where a token is scoped to a limited set of data
> that isn’t particularly sensitive. My example was image search. It seems
> too restrictive to require TLS for an operation that does nothing more than
> what anyone could do by pointing a browser at our web site. Http cookies
> can be specified as either requiring or not requiring secure transport; it
> seems reasonable to allow the same option for bearer tokens, which fulfill
> an analogous role.
>
> ** **
>
> Dan
>
> ** **
>
> *From:* Marco De Nadai [mailto:denad...@gmail.com]
> *Sent:* Sunday, October 30, 2011 9:44 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Security Considerations - Access Tokens
>
> ** **
>
> Hi all,
>
> ** **
>
> i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3
> there is this statment: 
>
> ** **
>
> Access token (as well as any access token type-specific attributes) MUST
> be kept confidential in transit and storage, and only shared among the
> authorization server, the resource servers the access token is valid for,
> and the client to whom the access token is issued.
>
> ** **
>
> BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access
> Authentication, I can request a resource with Access Token sent in clear.
> This invalidates the "Access token (as well as any access token
> type-specific attributes) MUST be kept confidential in transit and storage".
> 
>
> ** **
>
> Is it my error?
>
> ** **
>
> -- 
>
> *Marco De Nadai*
>
> http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
> 
>
> ** **
>



-- 
*Marco De Nadai*
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2011-10-31 Thread William Mills

Yeah, there's a punt here...  I believe it's recognizing that people will in 
fact use bearer tokens on a plaintext channel, the slight mitigation being 
shorter lifespan of the token.  

From: Dan Taflin 
To: Marco De Nadai ; "oauth@ietf.org" 
Sent: Monday, October 31, 2011 8:54 AM
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens

To be consistent, section 10.3 should probably specify that the requirement of 
confidentiality in transit applies specifically to BEARER tokens.

I would like to see this relaxed further though, as I argued last week, to 
accommodate situations where a token is scoped to a limited set of data that 
isn’t particularly sensitive. My example was image search. It seems too 
restrictive to require TLS for an operation that does nothing more than what 
anyone could do by pointing a browser at our web site. Http cookies can be 
specified as either requiring or not requiring secure transport; it seems 
reasonable to allow the same option for bearer tokens, which fulfill an 
analogous role.

Dan

From:Marco De Nadai [mailto:denad...@gmail.com] 
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is 
this statment: 

Access token (as well as any access token type-specific attributes) MUST be 
kept confidential in transit and storage, and only shared among the 
authorization server, the resource servers the access token is valid for, and 
the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access 
Authentication, I can request a resource with Access Token sent in clear. This 
invalidates the "Access token (as well as any access token type-specific 
attributes) MUST be kept confidential in transit and storage".

Is it my error?

-- 
Marco De Nadai
http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2011-10-31 Thread Marco De Nadai

It's a OAuth2-Bearer security consideration not OAuth generally

2011/10/31 William Mills 

> Yeah, there's a punt here...  I believe it's recognizing that people will
> in fact use bearer tokens on a plaintext channel, the slight mitigation
> being shorter lifespan of the token.
>
> --
> *From:* Dan Taflin 
> *To:* Marco De Nadai ; "oauth@ietf.org" <
> oauth@ietf.org>
> *Sent:* Monday, October 31, 2011 8:54 AM
> *Subject:* Re: [OAUTH-WG] Security Considerations - Access Tokens
>
>   To be consistent, section 10.3 should probably specify that the
> requirement of confidentiality in transit applies specifically to BEARER
> tokens.
>
> I would like to see this relaxed further though, as I argued last week, to
> accommodate situations where a token is scoped to a limited set of data
> that isn’t particularly sensitive. My example was image search. It seems
> too restrictive to require TLS for an operation that does nothing more than
> what anyone could do by pointing a browser at our web site. Http cookies
> can be specified as either requiring or not requiring secure transport; it
> seems reasonable to allow the same option for bearer tokens, which fulfill
> an analogous role.
>
> Dan
>
>  *From:* Marco De Nadai [mailto:denad...@gmail.com]
> *Sent:* Sunday, October 30, 2011 9:44 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Security Considerations - Access Tokens
>
> Hi all,
>
>  i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3
> there is this statment:
>
>  Access token (as well as any access token type-specific attributes) MUST
> be kept confidential in transit and storage, and only shared among the
> authorization server, the resource servers the access token is valid for,
> and the client to whom the access token is issued.
>
>  BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access
> Authentication, I can request a resource with Access Token sent in clear.
> This invalidates the "Access token (as well as any access token
> type-specific attributes) MUST be kept confidential in transit and storage".
>
>  Is it my error?
>
>  --
>  *Marco De Nadai*
>
> http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>


-- 
*Marco De Nadai*
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2012-01-16 Thread Eran Hammer

Added the word 'credentials' (e.g. "Access token credentials (as well as...") 
to make this clearer. IOW, when using MAC tokens, the token secret is the part 
that must be protected, not the token id.

EHL

From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Marco 
De Nadai
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is 
this statment:

Access token (as well as any access token type-specific attributes) MUST be 
kept confidential in transit and storage, and only shared among the 
authorization server, the resource servers the access token is valid for, and 
the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access 
Authentication, I can request a resource with Access Token sent in clear. This 
invalidates the "Access token (as well as any access token type-specific 
attributes) MUST be kept confidential in transit and storage".

Is it my error?

--
Marco De Nadai
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Security Considerations - Access Tokens

2012-01-16 Thread Torsten Lodderstedt


makes sense.

regards,
Torsten.

Am 16.01.2012 20:00, schrieb Eran Hammer:


Added the word 'credentials' (e.g. "Access token credentials (as well 
as...") to make this clearer. IOW, when using MAC tokens, the token 
secret is the part that must be protected, not the token id.


EHL

*From:*oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On 
Behalf Of *Marco De Nadai

*Sent:* Sunday, October 30, 2011 9:44 AM
*To:* oauth@ietf.org
*Subject:* [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 
there is this statment:


Access token (as well as any access token type-specific 
attributes) MUST be kept confidential in transit and storage, and only 
shared among the authorization server, the resource servers the access 
token is valid for, and the client to whom the access token is issued.


BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access 
Authentication, I can request a resource with Access Token sent in 
clear. This invalidates the "Access token (as well as any access token 
type-specific attributes) MUST be kept confidential in transit and 
storage".


Is it my error?

--

*Marco De Nadai*

http://www.marcodena.it/ 
<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>




___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

Re: [OAUTH-WG] Security Considerations - Access Tokens

7 matches

Site Navigation

Mail list logo

Footer information