ietf
[Top] [All Lists]

Re: [Unbearable] New Non-WG Mailing List: unbearable

2014-12-09 11:18:40
We did discuss this at the last IETF meeting.

While the work is closely related to the PoP work in OAuth it is not the same.  
It will allow us to do PoP tokens for the implicit flow, something that we 
haven't touched yet in OAuth because we don't have a workable way to manage 
keys in the browser.   This work should allow us to do that.

I think the slide deck examples showing JWT using different mechanisms to 
express keys from the work done in the OAuth WG may be part of what has some 
people concerned.

I don't think these specs overlap with OAuth, but we do need to be mindful of 
scope creep.   As I stated at the F2F we need to have the two groups work 
together, so that we can have PoP tokens via the browser.  

John B.


On Dec 8, 2014, at 6:58 PM, Mike Jones 
<Michael(_dot_)Jones(_at_)microsoft(_dot_)com> wrote:

It's my understanding that "Unbearable" is part of an effort to create a new 
working group scoped to work on deliverables based upon these input documents:

http://tools.ietf.org/html/draft-balfanz-https-token-binding
http://tools.ietf.org/html/draft-popov-token-binding

I don't think that it was ever intended to cover every aspect of 
proof-of-possession and so there's not actually any conflict with the work 
we're already doing in OAuth.  (Nor does it seem to me to be productive to 
add even more documents-in-flight to the OAuth working group at present.)

                              Cheers,
                              -- Mike

-----Original Message-----
From: Unbearable [mailto:unbearable-bounces(_at_)ietf(_dot_)org] On Behalf Of 
Derek Atkins
Sent: Saturday, December 06, 2014 11:20 AM
To: ietf(_at_)ietf(_dot_)org
Cc: Andrei Popov; unbearable(_at_)ietf(_dot_)org; Stephen Farrell
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable

Hi,

IETF Secretariat <ietf-secretariat(_at_)ietf(_dot_)org> writes:

A new IETF non-working group email list has been created.

List address: unbearable(_at_)ietf(_dot_)org
Archive: http://www.ietf.org/mail-archive/web/unbearable/
To subscribe: https://www.ietf.org/mailman/listinfo/unbearable

Purpose:

This list is for discussion of proposals for doing better than bearer 
tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. 
The specific goal is chartering a WG focused on preventing security 
token export and replay attacks.


The OAUTH Working Group is already (and has been for a while!) looking into 
"holder of key" protocols to improve upon Bearer Tokens.

I would suggest that this work happen there instead of creating a whole new 
group for it.

-derek

For additional information, please contact the list administrators.

-- 
      Derek Atkins                 617-623-3745
      derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
      Computer and Internet Security Consultant

_______________________________________________
Unbearable mailing list
Unbearable(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/unbearable

_______________________________________________
Unbearable mailing list
Unbearable(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/unbearable

Attachment: smime.p7s
Description: S/MIME cryptographic signature