It's my understanding that "Unbearable" is part of an effort to create a new
working group scoped to work on deliverables based upon these input documents:
http://tools.ietf.org/html/draft-balfanz-https-token-binding
http://tools.ietf.org/html/draft-popov-token-binding
I don't think that it was ever intended to cover every aspect of
proof-of-possession and so there's not actually any conflict with the work
we're already doing in OAuth. (Nor does it seem to me to be productive to add
even more documents-in-flight to the OAuth working group at present.)
Cheers,
-- Mike
-----Original Message-----
From: Unbearable [mailto:unbearable-bounces(_at_)ietf(_dot_)org] On Behalf Of
Derek Atkins
Sent: Saturday, December 06, 2014 11:20 AM
To: ietf(_at_)ietf(_dot_)org
Cc: Andrei Popov; unbearable(_at_)ietf(_dot_)org; Stephen Farrell
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
Hi,
IETF Secretariat <ietf-secretariat(_at_)ietf(_dot_)org> writes:
A new IETF non-working group email list has been created.
List address: unbearable(_at_)ietf(_dot_)org
Archive: http://www.ietf.org/mail-archive/web/unbearable/
To subscribe: https://www.ietf.org/mailman/listinfo/unbearable
Purpose:
This list is for discussion of proposals for doing better than bearer
tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications.
The specific goal is chartering a WG focused on preventing security
token export and replay attacks.
The OAUTH Working Group is already (and has been for a while!) looking into
"holder of key" protocols to improve upon Bearer Tokens.
I would suggest that this work happen there instead of creating a whole new
group for it.
-derek
For additional information, please contact the list administrators.
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
Unbearable mailing list
Unbearable(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/unbearable