Hi Sergey, as Phil said it would be helpful for us to receive reviews of this document: http://tools.ietf.org/html/draft-tschofenig-oauth-security-00
The document lists requirements and threats. Ciao Hannes On Nov 26, 2012, at 8:28 PM, Phil Hunt wrote: > If we want to get this done we have to get agreements on the requirements for > HOK. Several meetings ago (quebec) the group indicated that mac wasn't > appropriate to anyone's needs. > > Some would argue that OAuth1 users arguably have less security than the > simpler bearer token /tls model in OAuth2. This just shows the real issue of > demonstrated need has not been properly defined and understood. > > More dialog on use cases is very helpful to moving HOK/MAC/etc forward. > > Phil > > On 2012-11-26, at 10:15, Sergey Beryozkin <[email protected]> wrote: > >> Hi >> >> What needs to be done to complete the MAC token spec ? Without having it >> signed off it will be difficult to get people working with OAuth 1.0 >> convinced to move to 2.0. >> I'm seeing another user request for getting OAuth 1.0 support extended >> further because the user expects it is more secure, and I guess because it >> is proven to work for people, and I guess because many OAuth 1.0 users feel >> that should stay from OAuth 2.0 because of some bad press. >> >> Without MAC being completed the division will continue, with even more >> misleading anti-OAuth2 posts appearing (though I guess some of the better >> posts point to some level of complexity in 2.0). >> >> Is it a matter of a security expert validating the text, fixing few typos, >> and basically signing it off ? >> >> If someone is interested then I can provide the info offline on how it MAC >> supported in our framework to get things tested easily and such... >> >> Cheers, Sergey >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
