- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sun, 25 Dec 2011 19:21:32 +1300
- To: <ietf-http-wg@w3.org>
On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote: > The OAUTH WG is creating a new authentication scheme for bearer > tokens: > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 > Reading section 2.3, it appears this method of transferring the credentials is open to replay attacks when caching TLS middleware is present. I believe this spec should mandate cache controls on responses using that method. Otherwise a lot of HTTP compliant middleware will feel free to store and supply the protected response to later replay attacks. > During review, I wondered whether this might be a suitable scheme for > proxies; the draft doesn't currently specify it as such, and our list > of considerations for new schemes asks them to consider this. > > Do any of the proxy implementers on the list have thoughts about this > / possible interest in it? > I think it would be a good idea to prepare for. Quite a few admin these days consider transit to be a service that needs authenticating as much as any origin server resource. It might even encourage progress on the TLS proxy connection developments we have been waiting for. AYJ
Received on Sunday, 25 December 2011 06:22:31 UTC