Hi
On 26/11/12 18:28, Phil Hunt wrote:
If we want to get this done we have to get agreements on the requirements for
HOK. Several meetings ago (quebec) the group indicated that mac wasn't
appropriate to anyone's needs.
Some would argue that OAuth1 users arguably have less security than the simpler
bearer token /tls model in OAuth2. This just shows the real issue of
demonstrated need has not been properly defined and understood.
From my point of view, the issue is not about which model is considered
to be more secure but about showing the OAuth1 users which have accepted
and accustomed to having the clients signing their token & protected
resource requests by following a well-understood signature algorithm
that by working with MAC they can effectively get the same with OAuth
2.0 and with the lesser implementation (and roundtrip) cost,
IMHO this further support for encouraging 1.0 users to migrate by having
also MAC done (in addition to dropping a temporarily request token
requirement) is not necessarily a high-priority issue for the major
OAuth 2.0 providers who offer a support for large-scale 2.0 deployments
and such.
It is though more important for the frameworks like the one I'm working
upon, which target a smaller scale, simpler OAuth2 applications. well we
support OAuth 1.0 and we support the latest MAC draft, but the
'signature' effect is massive and hence I'm hoping MAC spec can be
completed without having all the OAuth2.0 experts agreeing on its virtues...
Thanks, Sergey
More dialog on use cases is very helpful to moving HOK/MAC/etc forward.
Phil
On 2012-11-26, at 10:15, Sergey Beryozkin<[email protected]> wrote:
Hi
What needs to be done to complete the MAC token spec ? Without having it signed
off it will be difficult to get people working with OAuth 1.0 convinced to move
to 2.0.
I'm seeing another user request for getting OAuth 1.0 support extended further
because the user expects it is more secure, and I guess because it is proven to
work for people, and I guess because many OAuth 1.0 users feel that should stay
from OAuth 2.0 because of some bad press.
Without MAC being completed the division will continue, with even more
misleading anti-OAuth2 posts appearing (though I guess some of the better posts
point to some level of complexity in 2.0).
Is it a matter of a security expert validating the text, fixing few typos, and
basically signing it off ?
If someone is interested then I can provide the info offline on how it MAC
supported in our framework to get things tested easily and such...
Cheers, Sergey
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
