Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Tue, 23 August 2016 20:22 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 619DB12DAA2 for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 13:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.611
X-Spam-Level:
X-Spam-Status: No, score=-0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1AibMoFqHQh for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 13:22:40 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6005E12DABC for <oauth@ietf.org>; Tue, 23 Aug 2016 13:22:40 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id t7so118223372qkh.1 for <oauth@ietf.org>; Tue, 23 Aug 2016 13:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=K65DGCnbU72vBT2dZQY9jfobG8I42BT7nsYbHWjy4n0=; b=LBFl6tWiUHXqZgnudjF5ngm+NdE4LM2OGAEJTzmZrnx4YBUG2IqpQ1Mcag7bXxJ4EO As8K4XuKSZus2ghhTw5eA3w/iW6OrgIgYLLW2yCj0gKEvA2hX9GS1O2lT0y9cjHzmt9D nIISxb9F0IjtnkVIBr5boGWl6nNz3EAx9uX+29lJlohCmUbrYLwEzg+5F1H2DvLOaxnb /TQuNgJR3b00RB0u7p0tmlkUpvCcyL+NJVs+rMlUKBMkZvJodmqIIBxQpF7TwPWOLaXS p+U5ZExIZbaNfbxFcb5THeO67dIY2qm3faGiG8EtfgrhHjdotjQ10OWeuM5gqKy/w0dk eIVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=K65DGCnbU72vBT2dZQY9jfobG8I42BT7nsYbHWjy4n0=; b=cLjPVhz4UGHuVkfrUOkseApDNJRIQnYsTe37B5+aw4GMqwIQOZsDjo//CMDHl3MkYu SjhiF/teAHLZbguWODf9ygEcVLWD2XGr+6YIkZyzCQeoT7HVxAiPlh0Ymi/kqwKQ5Hhw 7RkxwczE3lMsJ/gWlMQtYAdxj4JMNuEwQxqR1AwdWgHAXOyY1+NNNMZJfMbfwjER7rtT Bd8USc67qGhI48M0qlwxMFYCGVg+DP0SXQNe4VEmiHoIZwkct3qt48wAw8cVeVUNKHGb KwTA1hyoE10x36m/yxjx7Gcek1j/N8RPf+1WaStKNhFxMDQNUJhfIuAa79/pivD+Pa/s vpOA==
X-Gm-Message-State: AEkoouuEiCqthv9g8bRzp6gkqbtjoXamJ9Mc2Xq+TnYrF3+qRepC+rNB87V4m8w/AjUyDI6W
X-Received: by 10.55.141.131 with SMTP id p125mr31970859qkd.132.1471983759297; Tue, 23 Aug 2016 13:22:39 -0700 (PDT)
Received: from [192.168.8.102] ([181.201.31.235]) by smtp.gmail.com with ESMTPSA id k65sm2731761qkf.7.2016.08.23.13.22.37 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Aug 2016 13:22:38 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E5ADE5F2-6869-4605-A6E1-1C54891184CE"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hBxk+PELuq1o1sszFS0dfGcLt+4AWyNMmbzsiAHzrY6=A@mail.gmail.com>
Date: Tue, 23 Aug 2016 17:22:33 -0300
Message-Id: <A399FAED-865E-4319-946E-C8F632AA9075@ve7jtb.com>
References: <33052033-0992-ceb8-4390-6837017b140e@gmx.net> <CA+k3eCROB7vkKqXe9XAQcYjpsif5SqNcW0vxLPnLGX_rxBhbEg@mail.gmail.com> <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com> <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com> <57BC5F52.5040704@lodderstedt.net> <CAAP42hBxk+PELuq1o1sszFS0dfGcLt+4AWyNMmbzsiAHzrY6=A@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3ss9h9e_Ew_nQhI_WA0-tnuOm6s>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 20:22:43 -0000
Yes I think merging the drafts and not reusing PKCE is the correct path. Protection for code in the browser redirect also needs to be added to fully protect the whole flow. John B. > On Aug 23, 2016, at 4:54 PM, William Denniss <wdenniss@google.com> wrote: > > +1 to adopt. > > I would like us to develop a unified approach and merge the current drafts. > > On Tue, Aug 23, 2016 at 7:58 AM Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: > +1 > > I would also propose to focus use of token binding to detect replay of tokens (access, refresh, code) > > > Am 22.08.2016 um 23:02 schrieb Brian Campbell: >> I agree with Tony, if I understand what he's saying. https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> was largely a straw-man to get the conversation started. But after talking with people in Berlin, reviewing Dirk's document, and thinking about it some more - it's not clear that PKCE is a great fit for token binding the authorization code. >> >> Token binding the authorization code is, I think, something we want to account for. But using/extending PKCE might not be the way to go about it. And whatever approach we land on should probably be just one part of the larger document on OAuth 2.0 Token Binding. >> >> On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <tonynad@microsoft.com <mailto:tonynad@microsoft.com>> wrote: >> I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> but not sure that https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> is a good starting point as we would want a more generic solution for PoP tokens in general >> >> >> <> >> From: OAuth [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf Of Brian Campbell >> Sent: Tuesday, August 16, 2016 11:45 AM >> To: Hannes Tschofenig < <mailto:hannes.tschofenig@gmx.net>hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> >> Cc: oauth@ietf.org <mailto:oauth@ietf.org> >> Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 >> >> >> Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow. >> >> >> According to the minutes from Berlin <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were against. >> >> >> On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < <mailto:hannes.tschofenig@gmx.net>hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >> >> Hi all, >> >> this is the call for adoption of the 'OAuth 2.0 Token Binding' document >> bundle* following the positive call for adoption at the recent IETF >> meeting in Berlin. >> >> Here are the links to the documents presented at the last IETF meeting: >> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> >> Please let us know by August 17th whether you accept / object to the >> adoption of this document as a starting point for work in the OAuth >> working group. >> >> Ciao >> Hannes & Derek >> >> *: We will find out what the best document structure is later, i.e., >> whether the content should be included in one, two or multiple documents. >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Dirk Balfanz
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… George Fletcher
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Mike Jones
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- [OAUTH-WG] Call for adoption: Token Binding for O… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… William Denniss
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Hannes Tschofenig