Re: [OAUTH-WG] self-issued access tokens
David Waite <david@alkaline-solutions.com> Thu, 30 September 2021 17:44 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ECE53A0E13 for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 10:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SggZkpDlD3gG for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 10:44:29 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CE23A0783 for <oauth@ietf.org>; Thu, 30 Sep 2021 10:44:29 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 45543206E83; Thu, 30 Sep 2021 17:44:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1633023868; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NoymUePfjK3ylNBvg39gr5ncOrgSLwy5Zi92wj6Kz1Q=; b=J7bnTvqgZBkYQwuanCbVDyS1PR2pYEUwuDptqrbk+DAprJTEUX0DvhWh9/ApWkVWSDFPtv 3At1uY6iRWG401Hf71l5SihCeZIIUdnpVDVcIXava5Aw4JKWwo1XnWbm6Xr4cIeVaPly7a nqM7RiVWWkYRPCBpdpn7Tg1JYrob1dk=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <09C675DC-1DC8-4860-A4DD-CE70B1FD5577@aueb.gr>
Date: Thu, 30 Sep 2021 11:44:25 -0600
Cc: Daniel Fett <fett@danielfett.de>, oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <DF934801-CDCF-4653-A5ED-0A9F3E26652E@alkaline-solutions.com>
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de> <09C675DC-1DC8-4860-A4DD-CE70B1FD5577@aueb.gr>
To: Nikos Fotiou <fotiou@aueb.gr>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0Iak00bGowCqs-jpES-Yse8FPzs>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 17:44:35 -0000
Are you using DPoP at issuance of the credential and embedding the public key as the means to verify the subject? Are you going so far as using DPoP in lieu of Verifiable Presentation wrappers? -DW > On Sep 30, 2021, at 12:47 AM, Nikos Fotiou <fotiou@aueb.gr> wrote: > > FYI, this is exactly what we are doing in [1] to manage Verifiable Credentials using OAuth2.0. The AS issues a verifiable credential that stays (for long time) in the client. The client uses DPoP to prove ownership of the credential. We just started a new project funded by essif [2] that will further develop this idea and provide implementations. > > Best, > Nikos > > [1] N. Fotiou, V.A. Siris, G.C. Polyzos, "Capability-based access control for multi-tenant systems using Oauth 2.0 and Verifiable Credentials," Proc. 30th International Conference on Computer Communications and Networks (ICCCN), Athens, Greece, July 2021 (https://mm.aueb.gr/publications/0a8b37c5-c814-4056-88a7-19556221728c.pdf) > [2]https://essif-lab.eu > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr
- [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens Vittorio Bertocci
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Daniel Fett
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Warren Parad
- Re: [OAUTH-WG] self-issued access tokens David Chadwick
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito