Re: [Unbearable] New Non-WG Mailing List: unbearable

Phil Hunt <phil.hunt@oracle.com> Mon, 08 December 2014 23:17 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1DFA1A00A2; Mon, 8 Dec 2014 15:17:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOCbOVxXt-j3; Mon, 8 Dec 2014 15:17:47 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 706241A0086; Mon, 8 Dec 2014 15:17:47 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sB8NHfne012935 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Dec 2014 23:17:42 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id sB8NHYSY018833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 8 Dec 2014 23:17:34 GMT
Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sB8NHYWA021156; Mon, 8 Dec 2014 23:17:34 GMT
Received: from [10.0.1.3] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 08 Dec 2014 15:17:33 -0800
References: <20141205191820.4189.348.idtracker@ietfa.amsl.com> <sjmtx18ziux.fsf@securerf.ihtfp.org> <4E1F6AAD24975D4BA5B16804296739439BC15602@TK5EX14MBXC286.redmond.corp.microsoft.com> <282823ED-137E-4575-B5E8-B5FB840BCC11@ve7jtb.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <282823ED-137E-4575-B5E8-B5FB840BCC11@ve7jtb.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <0FFD8ED9-3AE4-4CB7-871B-00C7881EEF54@oracle.com>
X-Mailer: iPhone Mail (12B435)
From: Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
Date: Mon, 8 Dec 2014 15:17:30 -0800
To: John Bradley <ve7jtb@ve7jtb.com>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/eEGkumIC3-i29nBrVyOSR6wSUik
X-Mailman-Approved-At: Tue, 09 Dec 2014 09:15:35 -0800
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, "ietf@ietf.org" <ietf@ietf.org>, "unbearable@ietf.org" <unbearable@ietf.org>, Derek Atkins <derek@ihtfp.com>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 23:17:51 -0000

Maybe all token work should be together in its own WG?

Phil

> On Dec 8, 2014, at 14:54, John Bradley <ve7jtb@ve7jtb.com> wrote:
> 
> We did discuss this at the last IETF meeting.
> 
> While the work is closely related to the PoP work in OAuth it is not the same.  It will allow us to do PoP tokens for the implicit flow, something that we haven't touched yet in OAuth because we don't have a workable way to manage keys in the browser.   This work should allow us to do that.
> 
> I think the slide deck examples showing JWT using different mechanisms to express keys from the work done in the OAuth WG may be part of what has some people concerned.
> 
> I don't think these specs overlap with OAuth, but we do need to be mindful of scope creep.   As I stated at the F2F we need to have the two groups work together, so that we can have PoP tokens via the browser.  
> 
> John B.
> 
> 
>> On Dec 8, 2014, at 6:58 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>> 
>> It's my understanding that "Unbearable" is part of an effort to create a new working group scoped to work on deliverables based upon these input documents:
>> 
>> http://tools.ietf.org/html/draft-balfanz-https-token-binding
>> http://tools.ietf.org/html/draft-popov-token-binding
>> 
>> I don't think that it was ever intended to cover every aspect of proof-of-possession and so there's not actually any conflict with the work we're already doing in OAuth.  (Nor does it seem to me to be productive to add even more documents-in-flight to the OAuth working group at present.)
>> 
>>                Cheers,
>>                -- Mike
>> 
>> -----Original Message-----
>> From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Derek Atkins
>> Sent: Saturday, December 06, 2014 11:20 AM
>> To: ietf@ietf.org
>> Cc: Andrei Popov; unbearable@ietf.org; Stephen Farrell
>> Subject: Re: [Unbearable] New Non-WG Mailing List: unbearable
>> 
>> Hi,
>> 
>> IETF Secretariat <ietf-secretariat@ietf.org> writes:
>> 
>>> A new IETF non-working group email list has been created.
>>> 
>>> List address: unbearable@ietf.org
>>> Archive: http://www.ietf.org/mail-archive/web/unbearable/
>>> To subscribe: https://www.ietf.org/mailman/listinfo/unbearable
>>> 
>>> Purpose:
>>> 
>>> This list is for discussion of proposals for doing better than bearer 
>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. 
>>> The specific goal is chartering a WG focused on preventing security 
>>> token export and replay attacks.
>> 
>> 
>> The OAUTH Working Group is already (and has been for a while!) looking into "holder of key" protocols to improve upon Bearer Tokens.
>> 
>> I would suggest that this work happen there instead of creating a whole new group for it.
>> 
>> -derek
>> 
>>> For additional information, please contact the list administrators.
>> 
>> -- 
>>      Derek Atkins                 617-623-3745
>>      derek@ihtfp.com             www.ihtfp.com
>>      Computer and Internet Security Consultant
>> 
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org
>> https://www.ietf.org/mailman/listinfo/unbearable
>> 
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org
>> https://www.ietf.org/mailman/listinfo/unbearable
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable