W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: OAuth Bearer authentication - for proxies?

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 31 Dec 2011 16:14:42 +1300
Message-ID: <4EFE7E22.9010200@treenet.co.nz>
To: ietf-http-wg@w3.org, oauth@ietf.org
re-posting for cc to OAuth WG

On 25/12/2011 7:21 p.m., Amos Jeffries wrote:
> On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote:
>> The OAUTH WG is creating a new authentication scheme for bearer tokens:
>>   http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15
>>
>
> Reading section 2.3, it appears this method of transferring the 
> credentials is open to replay attacks when caching TLS middleware is 
> present. I believe this spec should mandate cache controls on 
> responses using that method. Otherwise a lot of HTTP compliant 
> middleware will feel free to store and supply the protected response 
> to later replay attacks.
>
>
>> During review, I wondered whether this might be a suitable scheme for
>> proxies; the draft doesn't currently specify it as such, and our list
>> of considerations for new schemes asks them to consider this.
>>
>> Do any of the proxy implementers on the list have thoughts about this
>> / possible interest in it?
>>
>
> I think it would be a good idea to prepare for. Quite a few admin 
> these days consider transit to be a service that needs authenticating 
> as much as any origin server resource. It might even encourage 
> progress on the TLS proxy connection developments we have been waiting 
> for.
>
> AYJ
>
>
Received on Saturday, 31 December 2011 03:15:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT