On Wed, 2010-01-13 at 23:05 -0700, Eran Hammer-Lahav wrote: > Authentication Open Question #3: Should require using TLS/SSL/secure channel > for any request made without a signature? > > WRAP got a lot of attention (mostly negative) to how it sends requests > without using signatures or a secure channel. WRAP only uses HTTPS for > obtaining tokens but does not mandate (or even suggests) using HTTPS for > making protected resources requests. Instead, WRAP recommends short lived > tokens that must be refreshed (using HTTPS). > > In a recent thread [1] on this list we reach (very small) consensus that the > OAuth 1.0 protocol should mandate HTTPS for the PLAINTEXT method. The > community edition only recommends it. > > QUESTIONS: Are there any valid (such that will pass IETF security review > scrutiny) reasons for allowing unsigned requests to be sent in the clear > over an insecure channel? Are there use cases for this (regardless of their > security properties)?
Yes, two machines on a network that is internal and presumed secure, and that doesn't need—or want!—the overhead of using point-to-point transport layer security. As has been pointed-out on this thread, the decision to use a secure channel, and to what extent it is made secure, are dependent on the threat model: the sensitivity of the data, the extent to which it is exposed, and the threat of its exposure. I don't think the OAuth protocol specification should mandate (a la MUST) transport security. At best, recommendations (a la SHOULD) would be more appropriate, giving discretion to those designing and deploying. > > EHL > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg00951.html > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth Paul _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
