- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sat, 31 Dec 2011 16:14:42 +1300
- To: ietf-http-wg@w3.org, oauth@ietf.org
re-posting for cc to OAuth WG On 25/12/2011 7:21 p.m., Amos Jeffries wrote: > On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote: >> The OAUTH WG is creating a new authentication scheme for bearer tokens: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 >> > > Reading section 2.3, it appears this method of transferring the > credentials is open to replay attacks when caching TLS middleware is > present. I believe this spec should mandate cache controls on > responses using that method. Otherwise a lot of HTTP compliant > middleware will feel free to store and supply the protected response > to later replay attacks. > > >> During review, I wondered whether this might be a suitable scheme for >> proxies; the draft doesn't currently specify it as such, and our list >> of considerations for new schemes asks them to consider this. >> >> Do any of the proxy implementers on the list have thoughts about this >> / possible interest in it? >> > > I think it would be a good idea to prepare for. Quite a few admin > these days consider transit to be a service that needs authenticating > as much as any origin server resource. It might even encourage > progress on the TLS proxy connection developments we have been waiting > for. > > AYJ > >
Received on Saturday, 31 December 2011 03:15:36 UTC