Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 06 December 2014 13:55 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC5D1A9040 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 05:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GdosCizjNUD for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 05:55:41 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id F07B11A9042 for <oauth@ietf.org>; Sat, 6 Dec 2014 05:55:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 071ABBF1B; Sat, 6 Dec 2014 13:55:40 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDZa50WqSNSF; Sat, 6 Dec 2014 13:55:38 +0000 (GMT)
Received: from [10.87.48.9] (unknown [86.46.31.148]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 166C7BF18; Sat, 6 Dec 2014 13:55:38 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <5482EBC1.1030603@gmx.net>
References: <5481E0A7.2090604@cs.tcd.ie> <548204B3.5050903@gmx.net> <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com> <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com> <5482CC20.4000202@gmx.net> <4FDB30EC-62D3-4C01-9EA0-1876BA1AC861@ve7jtb.com> <5482EBC1.1030603@gmx.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Sat, 06 Dec 2014 13:55:22 +0000
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, John Bradley <ve7jtb@ve7jtb.com>
Message-ID: <CC3B9165-CE29-459D-8CF9-6A4E64D6975C@cs.tcd.ie>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-fzpngcGZpy3Lljo9gk2tZx06wo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 13:55:44 -0000
Hiya, Sorry - I should have posted the announce here too. Not doing so was just an oversight. Discussion of overlaps between the newly proposed and existing work is a fine topic for the new list I'd say. But better there than here. Cheers, S On 6 December 2014 11:42:57 GMT+00:00, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >I think it should be the responsibility of document authors to read the >the state of the art to avoid re-inventing the wheel (particularly >since >their co-workers have been heavily involved in the work). > >It is not true that we have been waiting for 4 years for this now since >they have changed their solution approach many times and the use of the >raw public key in combination with the PoP solution would have given a >complete solution. > >Ciao >Hannes > > >On 12/06/2014 11:09 AM, John Bradley wrote: >> They have examples of how it could be used in OAuth and Connect. >They didn't look at what we were doing with PoP so the examples don't >line up. >> >> That is why it is important to keep on top of this so that it is the >OAuth WG that is defining how this binding mechanism is used in OAuth >and JWT. >> >> The specs themselves are, or should be independent of token type. >> >> We have been waiting for TLS to produce this for around 4 years now. > It is not really new work, mostly a change of venue to make progress. >> >> All of this was discussed at the last IETF meeting. I thought a >significant number of people from the OAuth WG were in the room. >> >> John B. >>> On Dec 6, 2014, at 6:28 AM, Hannes Tschofenig ><hannes.tschofenig@gmx.net> wrote: >>> >>> I agree with Phil. As currently described it replicates a lot of the >>> work we have done in PoP. >>> >>> Ciao >>> Hannes >>> >>> On 12/06/2014 09:52 AM, John Bradley wrote: >>>> No, this is the the work formerly known as origin bound >certificates & Channel ID. We need this to bind id_tokens and or >access tokens to TLS sessions. >>>> >>>> So it is an alternative TLS binding mechanism. We still need to >describe how to use it with OAuth and JWT. >>>> >>>> It is a building block we can use for PoP. >>>> >>>> John B. >>>>> On Dec 5, 2014, at 10:48 PM, Phil Hunt <phil.hunt@oracle.com> >wrote: >>>>> >>>>> Doesn't that duplicate our current work? >>>>> >>>>> Phil >>>>> >>>>>> On Dec 5, 2014, at 11:17, Hannes Tschofenig ><hannes.tschofenig@gmx.net> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Forwarded Message -------- >>>>>> Subject: [websec] unbearable - new mailing list to discuss better >than >>>>>> bearer tokens... >>>>>> Date: Fri, 05 Dec 2014 16:43:19 +0000 >>>>>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie> >>>>>> Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie> >>>>>> To: saag@ietf.org <saag@ietf.org>, websec <websec@ietf.org>, >>>>>> uta@ietf.org <uta@ietf.org>, ietf-http-wg@w3.org Group >>>>>> <ietf-http-wg@w3.org>, http-auth@ietf.org <http-auth@ietf.org> >>>>>> >>>>>> >>>>>> Hiya, >>>>>> >>>>>> Following up on the presentation at IETF-91 on this topic, [1] >>>>>> we've created a new list [2] for moving that along. The list >>>>>> description is: >>>>>> >>>>>> "This list is for discussion of proposals for doing better than >bearer >>>>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web >applications. >>>>>> The specific goal is chartering a WG focused on preventing >security >>>>>> token export and replay attacks." >>>>>> >>>>>> If you're interested please join in. >>>>>> >>>>>> Thanks to Vinod and Andrei for agreeing to admin the list. >>>>>> >>>>>> We'll kick off discussion in a few days when folks have had >>>>>> a chance to subscribe. >>>>>> >>>>>> Cheers, >>>>>> S. >>>>>> >>>>>> PS: Please don't reply-all to this, join the new list, wait >>>>>> a few days and then say what you need to say:-) >>>>>> >>>>>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf >>>>>> [2] https://www.ietf.org/mailman/listinfo/unbearable >>>>>> >>>>>> _______________________________________________ >>>>>> websec mailing list >>>>>> websec@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/websec >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >> > > > >------------------------------------------------------------------------ > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: [websec] unbearable - new mailing… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Phil Hunt
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Stephen Farrell
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Phil Hunt
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Stephen Farrell
- Re: [OAUTH-WG] [Unbearable] [http-auth] unbearabl… Phil Hunt