16 Aug 2012 18:20
Bearer vs. non-bearer (Re: OAUTH SASL and Channel binding)
Nico Williams <nico <at> cryptonector.com>
2012-08-16 16:20:35 GMT
2012-08-16 16:20:35 GMT
FWIW, I seethe appeal of bearer tokens. If you trust the TLS server PKI then bearer tokens can be implemented with no changes to the HTTP/TLS stack and *no additional crypto* on the client side. Heck, it's even possible to implement bearer token schemes with no additional crypto anywhere. This sounds too wonderful too be true, but it is true, no? But once you're stuck with a bearer token you're also stuck with either trusting the TLS server PKI fully, or making changes to the HTTP/TLS stack. That seems like an awful bind to me. So, in principle bearer and signature tokens can both offer reasonable security (if one adheres to their respective security considerations). In practice there are differences, which I hope I captured succinctly enough above. I believe the downside of bearer tokens overwhelm the upside -- a proposition that no doubt requires more discussion. Nico --
RSS Feed