We did discuss this at the last IETF meeting.
While the work is closely related to the PoP work in OAuth it is not the same.
It will allow us to do PoP tokens for the implicit flow, something that we
haven't touched yet in OAuth because we don't have a workable way to manage
keys in the browser. This work should allow us to do that.
I think the slide deck examples showing JWT using different mechanisms to
express keys from the work done in the OAuth WG may be part of what has some
people concerned.
I don't think these specs overlap with OAuth, but we do need to be mindful of
scope creep. As I stated at the F2F we need to have the two groups work
together, so that we can have PoP tokens via the browser.
John B.
On Dec 8, 2014, at 6:58 PM, Mike Jones
<Michael(_dot_)Jones(_at_)microsoft(_dot_)com> wrote:
It's my understanding that "Unbearable" is part of an effort to create a new
working group scoped to work on deliverables based upon these input documents:
http://tools.ietf.org/html/draft-balfanz-https-token-binding
http://tools.ietf.org/html/draft-popov-token-binding
I don't think that it was ever intended to cover every aspect of
proof-of-possession and so there's not actually any conflict with the work
we're already doing in OAuth. (Nor does it seem to me to be productive to
add even more documents-in-flight to the OAuth working group at present.)
Cheers,
-- Mike
-----Original Message-----
From: Unbearable [mailto:unbearable-bounces(_at_)ietf(_dot_)org] On Behalf Of
Derek Atkins
Sent: Saturday, December 06, 2014 11:20 AM
To: ietf(_at_)ietf(_dot_)org
Cc: Andrei Popov; unbearable(_at_)ietf(_dot_)org; Stephen Farrell
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
Hi,
IETF Secretariat <ietf-secretariat(_at_)ietf(_dot_)org> writes:
A new IETF non-working group email list has been created.
List address: unbearable(_at_)ietf(_dot_)org
Archive: http://www.ietf.org/mail-archive/web/unbearable/
To subscribe: https://www.ietf.org/mailman/listinfo/unbearable
Purpose:
This list is for discussion of proposals for doing better than bearer
tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications.
The specific goal is chartering a WG focused on preventing security
token export and replay attacks.
The OAUTH Working Group is already (and has been for a while!) looking into
"holder of key" protocols to improve upon Bearer Tokens.
I would suggest that this work happen there instead of creating a whole new
group for it.
-derek
For additional information, please contact the list administrators.
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
Unbearable mailing list
Unbearable(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/unbearable
_______________________________________________
Unbearable mailing list
Unbearable(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/unbearable
smime.p7s
Description: S/MIME cryptographic signature