Re: [OAUTH-WG] HOTK/POP/etc drafts

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 25 April 2014 09:39 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452191A0366 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 02:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGsSiM0vkbm5 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 02:39:06 -0700 (PDT)
Received: from mail-ee0-x22b.google.com (mail-ee0-x22b.google.com [IPv6:2a00:1450:4013:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 474BF1A0163 for <oauth@ietf.org>; Fri, 25 Apr 2014 02:39:05 -0700 (PDT)
Received: by mail-ee0-f43.google.com with SMTP id e53so2644068eek.30 for <oauth@ietf.org>; Fri, 25 Apr 2014 02:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=h55VkgZk1KatwUrxHV6xmORlSe7ekdAUQ0NrxsHQ+rw=; b=J0xsbzv0sNTYab+rsy7hn5z2kMdGUqo83gTCCAo6T6TEv0rh87K0wWXh+uYB5XD8xL 4SDoe+WVempnly3E2BMNkjKTnYuTShCFZIgGZ74GfhUG0W1kTi/KJxOoPgDRC1LFTrCN ViUvTVWlzbHRYPmRy1ub1SnDvNgEsKVRykC8ODFBVC9VPpJiqFU9hE0W+H7I+6WHcPig uA2zfFDwzk6fmWIeN7tm8+pzlD59I7yNllmIB/L28DhT644GByArfTe0P8PhcaFrPnj+ 3wmIU4A5KtJ2WdXXbEF2hogUPLktEbrYm8xr+vDUGMsXjKTgyhNMnAdVwtMJIKrh8K4+ kZtA==
X-Received: by 10.14.219.137 with SMTP id m9mr1081716eep.77.1398418739410; Fri, 25 Apr 2014 02:38:59 -0700 (PDT)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id l42sm23377197eew.19.2014.04.25.02.38.58 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 02:38:58 -0700 (PDT)
Message-ID: <535A2D31.8090909@gmail.com>
Date: Fri, 25 Apr 2014 10:38:57 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, oauth@ietf.org
References: <a5902fbd6bf44b5bb03d9ebf6da0bc33@DM2PR04MB735.namprd04.prod.outlook.com> <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net>
In-Reply-To: <535A298B.9030600@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2ZW9_HwpJ-1u39h2CecUYLgWOtU
Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 09:39:08 -0000

On 25/04/14 10:23, Hannes Tschofenig wrote:
> Good question. The architecture allows different mechanisms to be used
> for proof-of-possession between the client and the resource server.
> With the publication of draft-richer-oauth-signed-http-request-01 we
> have a version that uses a JOSE-based encoding. I have not had time to
> illustrate how the MAC-based version would fit in there.

OAuth2 is very open to supporting all sort of access token types.
Hopefully PoP model will not be made exclusive for JWT only, it won't be 
very OAuth2 friendly IMHO...

Cheers, Sergey


>
> On 04/25/2014 10:42 AM, Sergey Beryozkin wrote:
>> Hi Hannes
>>
>> Is the MAC token effort you were leading still on the map ?
>>
>> Thanks, Sergey
>>
>> On 24/04/14 20:42, Hannes Tschofenig wrote:
>>> Btw, the HTTP signature mechanism now also got published as
>>> http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01
>>>
>>> I think we now have a pretty good collection of documents to look at.
>>>
>>> Ciao
>>> Hannes
>>>
>>>
>>> On 04/24/2014 06:40 PM, Hannes Tschofenig wrote:
>>>> Hi Lewis,
>>>>
>>>> good that you ask.
>>>>
>>>> In the London IETF meeting we have proposed a plan on how to proceed
>>>> with the proof-of-possession (PoP) work.
>>>>
>>>> John had already explained that the main document is
>>>> draft-hunt-oauth-pop-architecture-00. It pains the big picture and
>>>> points to the relevant documents, in particular to
>>>>    a) draft-bradley-oauth-pop-key-distribution
>>>>    b) draft-jones-oauth-proof-of-possession
>>>>    c) a not-yet-published HTTP signature mechanism.
>>>>
>>>> (a) explains how the client obtains keys from the authorization server.
>>>> (b) describes a mechanism for binding a key to the access token.
>>>> (c) illustrates the procedure for the client to interact with the
>>>> resource server (based on the PoP mechanism).
>>>>
>>>> These documents replace prior work on draft-ietf-oauth-v2-http-mac-05
>>>> and draft-tschofenig-oauth-hotk-03.
>>>>
>>>> We are getting closer to have all relevant parts published.
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>> On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> Lots of crypto drafts on OAuth popping up that I need to come up to
>>>>> speed on.
>>>>>
>>>>> draft-bradley-oauth-pop-key-distribution-00
>>>>> <http://datatracker.ietf.org/doc/draft-bradley-oauth-pop-key-distribution/>
>>>>>
>>>>>
>>>>> draft-hunt-oauth-pop-architecture-00
>>>>> <http://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/>
>>>>>
>>>>> draft-jones-oauth-proof-of-possession-00
>>>>> <http://datatracker.ietf.org/doc/draft-jones-oauth-proof-of-possession/>
>>>>>
>>>>>
>>>>> draft-sakimura-oauth-rjwtprof-01
>>>>> <http://datatracker.ietf.org/doc/draft-sakimura-oauth-rjwtprof/>
>>>>>
>>>>> draft-sakimura-oauth-tcse-03
>>>>> <http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse/>
>>>>>
>>>>> draft-tschofenig-oauth-hotk-03
>>>>> <http://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/>
>>>>>
>>>>>
>>>>>
>>>>> Glad to see all the work, but is there a preferred reading order here?
>>>>> Which ones build on each other vs. which ones are out there on their
>>>>> own?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -adam
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>