re-posting for cc to OAuth WG On 25/12/2011 7:21 p.m., Amos Jeffries wrote: > On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote: >> The OAUTH WG is creating a new authentication scheme for bearer tokens: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 >> > > Reading section 2.3, it appears this method of transferring the > credentials is open to replay attacks when caching TLS middleware is > present. I believe this spec should mandate cache controls on > responses using that method. Otherwise a lot of HTTP compliant > middleware will feel free to store and supply the protected response > to later replay attacks. > > >> During review, I wondered whether this might be a suitable scheme for >> proxies; the draft doesn't currently specify it as such, and our list >> of considerations for new schemes asks them to consider this. >> >> Do any of the proxy implementers on the list have thoughts about this >> / possible interest in it? >> > > I think it would be a good idea to prepare for. Quite a few admin > these days consider transit to be a service that needs authenticating > as much as any origin server resource. It might even encourage > progress on the TLS proxy connection developments we have been waiting > for. > > AYJ > >Received on Saturday, 31 December 2011 03:15:36 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT