RE: [Unbearable] New Non-WG Mailing List: unbearable

Mike Jones <> Mon, 08 December 2014 21:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 703C61ACFEB; Mon, 8 Dec 2014 13:59:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BwAQUqQPV8QK; Mon, 8 Dec 2014 13:59:36 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C23751A896F; Mon, 8 Dec 2014 13:59:36 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 8 Dec 2014 21:59:35 +0000
Received: from (2a01:111:f400:7c10::196) by (2a01:111:e400:2428::13) with Microsoft SMTP Server (TLS) id via Frontend Transport; Mon, 8 Dec 2014 21:59:34 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id via Frontend Transport; Mon, 8 Dec 2014 21:59:34 +0000
Received: from ([]) by ([]) with mapi id 14.03.0210.003; Mon, 8 Dec 2014 21:58:59 +0000
From: Mike Jones <>
To: Derek Atkins <>, "" <>
Subject: RE: [Unbearable] New Non-WG Mailing List: unbearable
Thread-Topic: [Unbearable] New Non-WG Mailing List: unbearable
Thread-Index: AQHQEv5yAeyUxIlMxkakTLDZyjjio5yF11f/gABlmxA=
Date: Mon, 8 Dec 2014 21:58:58 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(377454003)(51704005)(13464003)(199003)(31966008)(69596002)(4396001)(104016003)(26826002)(54356999)(97736003)(23726002)(84676001)(19580405001)(15974865002)(50986999)(6806004)(19580395003)(107046002)(106116001)(81156004)(76176999)(77156002)(47776003)(64706001)(46102003)(20776003)(66066001)(46406003)(62966003)(50466002)(86612001)(2501002)(2656002)(97756001)(21056001)(106466001)(68736005)(55846006)(87936001)(85806002)(15975445007)(120916001)(86362001)(1720100001)(92566001)(33656002)(102836002)(99396003)(223123001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB1208;; FPR:; SPF:Pass; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1208;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(602002); SRVR:BY1PR0301MB1208;
X-Forefront-PRVS: 041963B986
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:BY1PR0301MB1208;
Cc: Andrei Popov <>, "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Dec 2014 21:59:43 -0000

It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents:

I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth.  (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.)

				-- Mike

-----Original Message-----
From: Unbearable [] On Behalf Of Derek Atkins
Sent: Saturday, December 06, 2014 11:20 AM
Cc: Andrei Popov;; Stephen Farrell
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable


IETF Secretariat <> writes:

> A new IETF non-working group email list has been created.
> List address:
> Archive:
> To subscribe:
> Purpose:
> This list is for discussion of proposals for doing better than bearer 
> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. 
> The specific goal is chartering a WG focused on preventing security 
> token export and replay attacks.

The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens.

I would suggest that this work happen there instead of creating a whole new group for it.


> For additional information, please contact the list administrators.

       Derek Atkins                 617-623-3745   
       Computer and Internet Security Consultant

Unbearable mailing list