Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

Mon, 23 Apr 2012 21:33:53 -0700 

What specific language would you suggest be added to what section(s)?

                                -- Mike

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Amos 
Jeffries
Sent: Monday, April 23, 2012 7:10 PM
To: [email protected]
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt

On 24.04.2012 13:46, [email protected] wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories. This draft is a work item of the Web Authorization 
> Protocol Working Group of the IETF.
>
>       Title           : The OAuth 2.0 Authorization Protocol: Bearer 
> Tokens
>       Author(s)       : Michael B. Jones
>                           Dick Hardt
>                           David Recordon
>       Filename        : draft-ietf-oauth-v2-bearer-19.txt
>       Pages           : 24
>       Date            : 2012-04-23
>
>    This specification describes how to use bearer tokens in HTTP
>    requests to access OAuth 2.0 protected resources.  Any party in
>    possession of a bearer token (a "bearer") can use it to get access 
> to
>    the associated resources (without demonstrating possession of a
>    cryptographic key).  To prevent misuse, bearer tokens need to be
>    protected from disclosure in storage and in transport.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt



The section 2.3 (URL Query Parameter) text is still lacking explicit and 
specific security requirements. The overarching TLS requirement is good in 
general, but insufficient in the presence of HTTP intermediaries on the TLS 
connection path as is becoming a common practice.

The upcoming HTTPbis specs document this issue as a requirement for new auth 
schemes such as Bearer:

http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
"
       Therefore, new authentication schemes which choose not to carry
       credentials in the Authorization header (e.g., using a newly
       defined header) will need to explicitly disallow caching, by
       mandating the use of either Cache-Control request directives
       (e.g., "no-store") or response directives (e.g., "private").
"


AYJ

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to