Hi Igor, I will pass on your comments Regards Mark
Igor Faynberg <[email protected]> wrote on 16/05/2011 09:45:23: > Igor Faynberg <[email protected]> > 16/05/2011 09:45 > > Please respond to > [email protected] > > To > > Mark Mcgloin/Ireland/IBM@IBMIE > > cc > > [email protected], [email protected] > > Subject > > Re: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 > > Mark, > > Many thanks for posting this. I am thinking of the next step. > > This paper proposes to use the Password-Based Asymmetric Key Exchange > protocol. Many messages ago, I had proposed to use the Password-Based > DH key exchange for the symmetric key generation. > > Another option is to mandate some form of PKI for all OAuth actors. > > I did not want to bring this discussion until 2.0 is finished and > published. (I do believe that the current security analysis and > considerations lead by Torsten has been comprehensive, and therefore 2.0 > ought to move to conclusion.) > > For the future, maybe you could work with your colleagues to compare the > PBAKE and PAK specifically as they apply to OAuth? You might also > consider publishing PBAKE in the IETF. > > Igor > > > Mark Mcgloin wrote: > > ... > > Here is another example of the > > type of analysis I am looking for, this one covering Oauth 1.0a from our > > research lab > > > > http://domino.watson.ibm.com/library/cyberdig.nsf/papers/ > B0D33665257DD3A0852576410043BCDD/$File/rc24856.pdf > > > > > > > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
