Re: [oauth] Will OAuth 2 address how to protect a distributed HTTP (non HTTPS) service from replay attacks?

Questions about OAuth 2 are probably better directed to the IETF discussion list: https://www.ietf.org/mailman/listinfo/oauth On 7/8/10 10:08 AM, AnthonyL (York) wrote: Hi there, This is a discussion post that started off as a question: Will OAuth 2 address how to protect a distributed HTTP

Re: [oauth] Re: OAuth 2 in new projects

Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Peter Saint-Andre https://stpeter.im

Re: [oauth] Re: OAuth 2 in new projects

On 6/8/10 1:43 PM, Lee Hambley wrote: Right, that was our take on it too… but does it have a formal name yet? Or just RFC5849 ? RFC 5849 is about as formal as it gets. :) Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature

Re: [oauth] Re: OAuth 2 in new projects

. Pretty much explains it, I'd say. Peter -- Peter Saint-Andre https://stpeter.im/ smime.p7s Description: S/MIME Cryptographic Signature

Re: [oauth] Found two small mistakes in draft-hammer-oauth2-00.txt document

On 4/26/10 9:16 AM, KiNgMaR wrote: while OAuth 2.0 seems very nice and very well thought through overall, I couldn't help but notice two small mistakes in the draft: Please send feedback about the Internet-Draft to the IETF list: https://www.ietf.org/mailman/listinfo/oauth /psa smime.p7s

[oauth] Re: build signature base string

/draft-ietf-oauth-web-delegation-01 Once those items are completed (or farther along), the OAUTH WG will also work on extensions, but until then I think this list is probably the best place for discussion of extensions. Eran will correct me if I'm wrong. :) Peter -- Peter Saint-Andre https

[oauth] [Fwd: [OAUTH-WG] Working Group Last Call for draft-hammer-oauth-03]

on the IETF's oa...@ietf.org list by October 30. You can subscribe here: https://www.ietf.org/mailman/listinfo/oauth Thanks. Peter - Original Message Subject: [OAUTH-WG] Working Group Last Call for draft-hammer-oauth-03 Date: Thu, 08 Oct 2009 12:17:56 -0600 From: Peter Saint

[oauth] Re: Signing PUT request

would be to push forward as quickly as possible with the two Internet-Drafts (authentication and web-delegation). You can help make that happen by reviewing the I-Ds and posting your comments to the oa...@ietf.org list. :) Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP

[oauth] Re: Signing PUT request

that an amendment should be done to the specification. IMHO this needs to be clarified in the Internet-Draft. I'll forward this message to oa...@ietf.org list. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG

[oauth] Re: HTTP response for bad oauth_verifier?

Invalid / expired Token o Invalid signature o Invalid / used nonce Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqW3XgACgkQNL8k5A2w

[oauth] Re: HTTP response for bad oauth_verifier?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://wiki.oauth.net/ProblemReporting has timestamp_refused (and also verifier_invalid), but it unclear about the mapping between those more specific conditions and the generic HTTP conditions. IMHO this needs to be clarified in

[oauth] Re: HTTP response for bad oauth_verifier?

- -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqXOtUACgkQNL8k5A2w/vyELQCg+SgHpgfI3J2M6myC7Rhnt36K 9YgAoIc/5t5nu7YoKR8XGROQb+YA/9oR =PeG8 -END PGP SIGNATURE

[oauth] [Fwd: [OAUTH-WG] Breakfast BoF minutes]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Some news from IETF 75... - Original Message Subject: [OAUTH-WG] Breakfast BoF minutes Date: Wed, 29 Jul 2009 08:50:02 +0200 From: Peter Saint-Andre stpe...@stpeter.im To: oa...@ietf.org oa...@ietf.org We just finished an OAuth

[oauth] Re: Is there a spec for 2-legged OAuth?

and SP? Is there a spec anywhere? I'm hoping that Eran will talk about this in the Internet-Draft he plans to submit about the delegation workflows. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla

Re: FW: [oauth] WG kickoff

community's energy and enthusiasm to the IETF. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkogj8UACgkQNL8k5A2w/vzfcgCgxdFA+IvmFnr99AXTaSHgxLTs

Re: FW: [oauth] WG kickoff

with the string [oauth]. To prevent confusion, I have changed the ietf.org list so that the string is [OAUTH] (in all caps), which is all that Mailman lets you do. It's not much, but it's something. :) Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8

[oauth] Re: Using Cookie to Thwart Session Fixation

if we drop a cookie? Cookies won't work for anything but HTTP (and even then some HTTP user agents don't support cookies). Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org