RE: [Unbearable] New Non-WG Mailing List: unbearable

Mike Jones <Michael.Jones@microsoft.com> Mon, 08 December 2014 21:59 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703C61ACFEB; Mon, 8 Dec 2014 13:59:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwAQUqQPV8QK; Mon, 8 Dec 2014 13:59:36 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0125.outbound.protection.outlook.com [207.46.100.125]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C23751A896F; Mon, 8 Dec 2014 13:59:36 -0800 (PST)
Received: from DM2PR03CA0003.namprd03.prod.outlook.com (10.141.96.13) by BY1PR0301MB1208.namprd03.prod.outlook.com (25.161.203.16) with Microsoft SMTP Server (TLS) id 15.1.31.17; Mon, 8 Dec 2014 21:59:35 +0000
Received: from BN1AFFO11FD039.protection.gbl (2a01:111:f400:7c10::196) by DM2PR03CA0003.outlook.office365.com (2a01:111:e400:2428::13) with Microsoft SMTP Server (TLS) id 15.1.31.17 via Frontend Transport; Mon, 8 Dec 2014 21:59:34 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD039.mail.protection.outlook.com (10.58.52.243) with Microsoft SMTP Server (TLS) id 15.1.26.17 via Frontend Transport; Mon, 8 Dec 2014 21:59:34 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.188]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0210.003; Mon, 8 Dec 2014 21:58:59 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Derek Atkins <derek@ihtfp.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: [Unbearable] New Non-WG Mailing List: unbearable
Thread-Topic: [Unbearable] New Non-WG Mailing List: unbearable
Thread-Index: AQHQEv5yAeyUxIlMxkakTLDZyjjio5yF11f/gABlmxA=
Date: Mon, 8 Dec 2014 21:58:58 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BC15602@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141205191820.4189.348.idtracker@ietfa.amsl.com> <sjmtx18ziux.fsf@securerf.ihtfp.org>
In-Reply-To: <sjmtx18ziux.fsf@securerf.ihtfp.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(377454003)(51704005)(13464003)(199003)(31966008)(69596002)(4396001)(104016003)(26826002)(54356999)(97736003)(23726002)(84676001)(19580405001)(15974865002)(50986999)(6806004)(19580395003)(107046002)(106116001)(81156004)(76176999)(77156002)(47776003)(64706001)(46102003)(20776003)(66066001)(46406003)(62966003)(50466002)(86612001)(2501002)(2656002)(97756001)(21056001)(106466001)(68736005)(55846006)(87936001)(85806002)(15975445007)(120916001)(86362001)(1720100001)(92566001)(33656002)(102836002)(99396003)(223123001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB1208; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1208;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(602002); SRVR:BY1PR0301MB1208;
X-Forefront-PRVS: 041963B986
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:BY1PR0301MB1208;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/BpzzoH7f2PUVbcAWVj7VirkQuHA
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, "unbearable@ietf.org" <unbearable@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 21:59:43 -0000

It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents:

http://tools.ietf.org/html/draft-balfanz-https-token-binding
http://tools.ietf.org/html/draft-popov-token-binding

I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth.  (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.)

				Cheers,
				-- Mike

-----Original Message-----
From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Derek Atkins
Sent: Saturday, December 06, 2014 11:20 AM
To: ietf@ietf.org
Cc: Andrei Popov; unbearable@ietf.org; Stephen Farrell
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable

Hi,

IETF Secretariat <ietf-secretariat@ietf.org> writes:

> A new IETF non-working group email list has been created.
>
> List address: unbearable@ietf.org
> Archive: http://www.ietf.org/mail-archive/web/unbearable/
> To subscribe: https://www.ietf.org/mailman/listinfo/unbearable
>
> Purpose:
>
> This list is for discussion of proposals for doing better than bearer 
> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. 
> The specific goal is chartering a WG focused on preventing security 
> token export and replay attacks.


The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens.

I would suggest that this work happen there instead of creating a whole new group for it.

-derek

> For additional information, please contact the list administrators.

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
Unbearable mailing list
Unbearable@ietf.org
https://www.ietf.org/mailman/listinfo/unbearable