IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 06 December 2014 13:55 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC5D1A9040 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 05:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GdosCizjNUD for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 05:55:41 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id F07B11A9042 for <oauth@ietf.org>; Sat, 6 Dec 2014 05:55:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 071ABBF1B; Sat, 6 Dec 2014 13:55:40 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDZa50WqSNSF; Sat, 6 Dec 2014 13:55:38 +0000 (GMT)
Received: from [10.87.48.9] (unknown [86.46.31.148]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 166C7BF18; Sat, 6 Dec 2014 13:55:38 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <5482EBC1.1030603@gmx.net>
References: <5481E0A7.2090604@cs.tcd.ie> <548204B3.5050903@gmx.net> <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com> <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com> <5482CC20.4000202@gmx.net> <4FDB30EC-62D3-4C01-9EA0-1876BA1AC861@ve7jtb.com> <5482EBC1.1030603@gmx.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Sat, 06 Dec 2014 13:55:22 +0000
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, John Bradley <ve7jtb@ve7jtb.com>
Message-ID: <CC3B9165-CE29-459D-8CF9-6A4E64D6975C@cs.tcd.ie>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-fzpngcGZpy3Lljo9gk2tZx06wo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 13:55:44 -0000


Hiya, 

Sorry - I should have posted the announce here too. Not doing so was just an oversight.

Discussion of overlaps between the newly proposed and existing work is a fine topic for the new list I'd say. But better there than here. 

Cheers, 
S



On 6 December 2014 11:42:57 GMT+00:00, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>I think it should be the responsibility of document authors to read the
>the state of the art to avoid re-inventing the wheel (particularly
>since
>their co-workers have been heavily involved in the work).
>
>It is not true that we have been waiting for 4 years for this now since
>they have changed their solution approach many times and the use of the
>raw public key in combination with the PoP solution would have given a
>complete solution.
>
>Ciao
>Hannes
>
>
>On 12/06/2014 11:09 AM, John Bradley wrote:
>> They have examples of how it could be used in OAuth and Connect. 
>They didn't look at what we were doing with PoP so the examples don't
>line up.
>> 
>> That is why it is important to keep on top of this so that it is the
>OAuth WG that is defining how this binding mechanism is used in OAuth
>and JWT.
>> 
>> The specs themselves are, or should be independent of token type.
>> 
>> We have been waiting for TLS to produce this for around 4 years now. 
> It is not really new work, mostly a change of venue to make progress.
>> 
>> All of this was discussed at the last IETF meeting.  I thought a
>significant number of people from the OAuth WG were in the room.
>> 
>> John B.
>>> On Dec 6, 2014, at 6:28 AM, Hannes Tschofenig
><hannes.tschofenig@gmx.net> wrote:
>>>
>>> I agree with Phil. As currently described it replicates a lot of the
>>> work we have done in PoP.
>>>
>>> Ciao
>>> Hannes
>>>
>>> On 12/06/2014 09:52 AM, John Bradley wrote:
>>>> No,  this is the the work formerly known as origin bound
>certificates & Channel ID.   We need this to bind id_tokens and or
>access tokens to TLS sessions.
>>>>
>>>> So it is an alternative TLS binding mechanism.   We still need to
>describe how to use it with OAuth and JWT.
>>>>
>>>> It is a building block we can use for PoP.
>>>>
>>>> John B.
>>>>> On Dec 5, 2014, at 10:48 PM, Phil Hunt <phil.hunt@oracle.com>
>wrote:
>>>>>
>>>>> Doesn't that duplicate our current work?
>>>>>
>>>>> Phil
>>>>>
>>>>>> On Dec 5, 2014, at 11:17, Hannes Tschofenig
><hannes.tschofenig@gmx.net> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------- Forwarded Message --------
>>>>>> Subject: [websec] unbearable - new mailing list to discuss better
>than
>>>>>> bearer tokens...
>>>>>> Date: Fri, 05 Dec 2014 16:43:19 +0000
>>>>>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>>>> Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie>
>>>>>> To: saag@ietf.org <saag@ietf.org>, websec <websec@ietf.org>,
>>>>>> uta@ietf.org <uta@ietf.org>, ietf-http-wg@w3.org Group
>>>>>> <ietf-http-wg@w3.org>, http-auth@ietf.org <http-auth@ietf.org>
>>>>>>
>>>>>>
>>>>>> Hiya,
>>>>>>
>>>>>> Following up on the presentation at IETF-91 on this topic, [1]
>>>>>> we've created a new list [2] for moving that along. The list
>>>>>> description is:
>>>>>>
>>>>>> "This list is for discussion of proposals for doing better than
>bearer
>>>>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web
>applications.
>>>>>> The specific goal is chartering a WG focused on preventing
>security
>>>>>> token export and replay attacks."
>>>>>>
>>>>>> If you're interested please join in.
>>>>>>
>>>>>> Thanks to Vinod and Andrei for agreeing to admin the list.
>>>>>>
>>>>>> We'll kick off discussion in a few days when folks have had
>>>>>> a chance to subscribe.
>>>>>>
>>>>>> Cheers,
>>>>>> S.
>>>>>>
>>>>>> PS: Please don't reply-all to this, join the new list, wait
>>>>>> a few days and then say what you need to say:-)
>>>>>>
>>>>>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf
>>>>>> [2] https://www.ietf.org/mailman/listinfo/unbearable
>>>>>>
>>>>>> _______________________________________________
>>>>>> websec mailing list
>>>>>> websec@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/websec
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>> 
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email