W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: OAuth Bearer authentication - for proxies?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 25 Dec 2011 11:14:32 +0100
Message-ID: <4EF6F788.2020503@gmx.de>
To: Amos Jeffries <squid3@treenet.co.nz>
CC: ietf-http-wg@w3.org
On 2011-12-25 07:21, Amos Jeffries wrote:
> On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
>> The OAUTH WG is creating a new authentication scheme for bearer tokens:
>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
>>
>
> Reading section 2.3, it appears this method of transferring the
> credentials is open to replay attacks when caching TLS middleware is
> present. I believe this spec should mandate cache controls on responses
> using that method. Otherwise a lot of HTTP compliant middleware will
> feel free to store and supply the protected response to later replay
> attacks.
 > ...

...you may want to send this to the OAuth WG...

Best regards, Julian
Received on Sunday, 25 December 2011 10:15:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT