W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: REST-GSS I-D

From: Nico Williams <nico@cryptonector.com>
Date: Wed, 8 Jun 2011 15:43:11 -0500
Message-ID: <BANLkTi=Thk+H2zz61Gm=D2UL+rxKJgdWZQ@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Cc: public-web-security@w3.org
On Wed, Jun 8, 2011 at 3:32 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> I've been reading your draft and attended your presentation at W3C. Trying to understand how this compares and/or complements OAuth.
>
> While different (and interesting), it still seems to involve multiple request/response exchanges much like OAuth 2-leg flows.

That's up to the mechanism.  The GSS-API does not dictate that there
must be more than one security context token in the exchange.

You do need two or more tokens if you're going to do mutual
authentication.   And you need mutual authentication if you want
channel binding.  But all that is optional.  Mutual authentication
adds value, but it's not required.

> There also seems to be an implication that the REST endpoint must be relative to the resource being accessed. OAuth's token and authorization end-points can be decoupled allowing for centralization of token services.  OAuth seems to have more flexibility and a broader pattern.

This is certainly true.  You don't get to replay tokens (you wouldn't
want to anyways).  New authentication implies new tokens.  This does
NOT mean that you can't reuse/cache certain things.  For example,
Kerberos tickets, OCSP responses, passwords, etcetera, can all be
cached, and they can be part of the security context tokens -- but
typically one also has some sort of äuthenticator", a proof of
possession (e.g., a signature, in the case of PKI).

Nico
--
Received on Wednesday, 8 June 2011 20:43:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC