Re: [Unbearable] New Non-WG Mailing List: unbearable

John Bradley <ve7jtb@ve7jtb.com> Mon, 08 December 2014 22:54 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994EC1A00AA for <ietf@ietfa.amsl.com>; Mon, 8 Dec 2014 14:54:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q64fkRFentTM for <ietf@ietfa.amsl.com>; Mon, 8 Dec 2014 14:54:25 -0800 (PST)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 509A21A00A2 for <ietf@ietf.org>; Mon, 8 Dec 2014 14:54:25 -0800 (PST)
Received: by mail-wg0-f47.google.com with SMTP id n12so7423726wgh.34 for <ietf@ietf.org>; Mon, 08 Dec 2014 14:54:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=fO/ulTHkFqqSJEWEl8p/3sF8VjPcwZhbB7RYsXJqyX4=; b=g+uyG0fWVQ5IBV6ctih5s3BIF4SbfgTmeXFbnz6lJWoKFPkNKtO+IBJUR2HrMOdZ08 w77/ZNjmKkMisSA0IoOFNXZEFGvKCjj2iXLdDV7a8jVJC8zZXaeCrkxmcvxatCglncK5 1+cWsgLiF/E+Whvsm0cvTc9BmDsxXaVPNnwRdkjlqDM2znz49ekmWjwCOakyR8mX3ckh FC2FWR8o0phb/myM2+QszyWCvPJXOziTSwEaH+/KBeB/Aob+/AHpiBd60fymnuOz43LR 6PHK7gDbapBDTgv/rj6rjMd12qLXsHdpQvBOSP0kvg9jS40SVJef5R2nSJJPy/eFba7l iuNw==
X-Gm-Message-State: ALoCoQn95gP19Wb84E+OHv/qJ4Lqd+PnmSexP/b9quhFyUo9rz4vZV6GhZZTVzPkhf6H+92wK7Is
X-Received: by 10.180.211.201 with SMTP id ne9mr26991206wic.30.1418079263951; Mon, 08 Dec 2014 14:54:23 -0800 (PST)
Received: from [10.0.9.168] (b2b-92-50-69-180.unitymedia.biz. [92.50.69.180]) by mx.google.com with ESMTPSA id js5sm11478351wid.11.2014.12.08.14.54.20 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Dec 2014 14:54:22 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_362135CD-4383-41C1-BFD1-48FF2CA96083"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BC15602@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Mon, 8 Dec 2014 19:54:18 -0300
Message-Id: <282823ED-137E-4575-B5E8-B5FB840BCC11@ve7jtb.com>
References: <20141205191820.4189.348.idtracker@ietfa.amsl.com> <sjmtx18ziux.fsf@securerf.ihtfp.org> <4E1F6AAD24975D4BA5B16804296739439BC15602@TK5EX14MBXC286.redmond.corp.microsoft.com>
To: Michael Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/_KzRb85zgAwzssOz7RN6t51s3RQ
X-Mailman-Approved-At: Tue, 09 Dec 2014 09:18:02 -0800
Cc: "unbearable@ietf.org" <unbearable@ietf.org>, Andrei Popov <Andrei.Popov@microsoft.com>, Derek Atkins <derek@ihtfp.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 22:54:27 -0000

We did discuss this at the last IETF meeting.

While the work is closely related to the PoP work in OAuth it is not the same.  It will allow us to do PoP tokens for the implicit flow, something that we haven't touched yet in OAuth because we don't have a workable way to manage keys in the browser.   This work should allow us to do that.

I think the slide deck examples showing JWT using different mechanisms to express keys from the work done in the OAuth WG may be part of what has some people concerned.

I don't think these specs overlap with OAuth, but we do need to be mindful of scope creep.   As I stated at the F2F we need to have the two groups work together, so that we can have PoP tokens via the browser.  

John B.


> On Dec 8, 2014, at 6:58 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents:
> 
> http://tools.ietf.org/html/draft-balfanz-https-token-binding
> http://tools.ietf.org/html/draft-popov-token-binding
> 
> I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth.  (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.)
> 
> 				Cheers,
> 				-- Mike
> 
> -----Original Message-----
> From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Derek Atkins
> Sent: Saturday, December 06, 2014 11:20 AM
> To: ietf@ietf.org
> Cc: Andrei Popov; unbearable@ietf.org; Stephen Farrell
> Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
> 
> Hi,
> 
> IETF Secretariat <ietf-secretariat@ietf.org> writes:
> 
>> A new IETF non-working group email list has been created.
>> 
>> List address: unbearable@ietf.org
>> Archive: http://www.ietf.org/mail-archive/web/unbearable/
>> To subscribe: https://www.ietf.org/mailman/listinfo/unbearable
>> 
>> Purpose:
>> 
>> This list is for discussion of proposals for doing better than bearer 
>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. 
>> The specific goal is chartering a WG focused on preventing security 
>> token export and replay attacks.
> 
> 
> The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens.
> 
> I would suggest that this work happen there instead of creating a whole new group for it.
> 
> -derek
> 
>> For additional information, please contact the list administrators.
> 
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable