W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: OAuth Bearer authentication - for proxies?

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 25 Dec 2011 19:21:32 +1300
To: <ietf-http-wg@w3.org>
Message-ID: <abe2950b95b27818e9e6ebddc99a7b7e@treenet.co.nz>
 On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
> The OAUTH WG is creating a new authentication scheme for bearer 
> tokens:
>   http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
>

 Reading section 2.3, it appears this method of transferring the 
 credentials is open to replay attacks when caching TLS middleware is 
 present. I believe this spec should mandate cache controls on responses 
 using that method. Otherwise a lot of HTTP compliant middleware will 
 feel free to store and supply the protected response to later replay 
 attacks.


> During review, I wondered whether this might be a suitable scheme for
> proxies; the draft doesn't currently specify it as such, and our list
> of considerations for new schemes asks them to consider this.
>
> Do any of the proxy implementers on the list have thoughts about this
> / possible interest in it?
>

 I think it would be a good idea to prepare for. Quite a few admin these 
 days consider transit to be a service that needs authenticating as much 
 as any origin server resource. It might even encourage progress on the 
 TLS proxy connection developments we have been waiting for.

 AYJ
Received on Sunday, 25 December 2011 06:22:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT