Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
John Bradley <ve7jtb@ve7jtb.com> Sat, 06 December 2014 08:52 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821971A8FD3 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 00:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHcnzDztFi1l for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 00:52:40 -0800 (PST)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50CDC1A8F4E for <oauth@ietf.org>; Sat, 6 Dec 2014 00:52:39 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id h11so747628wiw.9 for <oauth@ietf.org>; Sat, 06 Dec 2014 00:52:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Y29mFy6T0PtM8+Dntj39kDNaZaQReFg0YXaMzxtRPpw=; b=KWCKJ7C0sHHRoplt2B8n8EOUY2yIIVl5yWorzAi1Rm3EkjZxU+gMZ57i9q5Pp1/0QK p5/IbirlO3Y6LmQTdW2YRjmOHHldm/+8Ob0/B7aLf8UwqTW9rFRkSOT5hn+aTkcQOy2j THwlrSGL97cTmmGp5Tp39eIcZ/62hPUhRs8vr04xIP0l9Er0QwTq3CnYuTaWcN6pZ7eL T2Gc7p0I+imOl2YwjqMcb445QjMdu1xKMhTvMVKYOoy4B8IlmpU/ElXhSqU6mHiMI8O/ H/b6VCjyMxsgRXjSnHufDHZ+N8QmVLiDQfNh/3D+hl4bZCv2UxsM0dKOgg0jNLSDvoQb JeOA==
X-Gm-Message-State: ALoCoQl8pEDOZYCCUJIFaixuWhrfU35/Eknjeo5xMmk6J7zOtMvmdnsPu0lugnjOUDGm9Jrhrhfj
X-Received: by 10.194.48.109 with SMTP id k13mr31114310wjn.7.1417855958703; Sat, 06 Dec 2014 00:52:38 -0800 (PST)
Received: from [10.47.81.9] (host86-187-113-78.range86-187.btcentralplus.com. [86.187.113.78]) by mx.google.com with ESMTPSA id f7sm1114997wiz.13.2014.12.06.00.52.37 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Dec 2014 00:52:37 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_B8B21117-303A-4F7E-9B2D-C096B1FE536D"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com>
Date: Sat, 06 Dec 2014 05:52:36 -0300
Message-Id: <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com>
References: <5481E0A7.2090604@cs.tcd.ie> <548204B3.5050903@gmx.net> <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/5WL9OEXIlG3w-cjb3V0L2mPYHiI
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 08:52:42 -0000
No, this is the the work formerly known as origin bound certificates & Channel ID. We need this to bind id_tokens and or access tokens to TLS sessions. So it is an alternative TLS binding mechanism. We still need to describe how to use it with OAuth and JWT. It is a building block we can use for PoP. John B. > On Dec 5, 2014, at 10:48 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > Doesn't that duplicate our current work? > > Phil > >> On Dec 5, 2014, at 11:17, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> >> >> >> >> -------- Forwarded Message -------- >> Subject: [websec] unbearable - new mailing list to discuss better than >> bearer tokens... >> Date: Fri, 05 Dec 2014 16:43:19 +0000 >> From: Stephen Farrell <stephen.farrell@cs.tcd.ie> >> Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie> >> To: saag@ietf.org <saag@ietf.org>, websec <websec@ietf.org>, >> uta@ietf.org <uta@ietf.org>, ietf-http-wg@w3.org Group >> <ietf-http-wg@w3.org>, http-auth@ietf.org <http-auth@ietf.org> >> >> >> Hiya, >> >> Following up on the presentation at IETF-91 on this topic, [1] >> we've created a new list [2] for moving that along. The list >> description is: >> >> "This list is for discussion of proposals for doing better than bearer >> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. >> The specific goal is chartering a WG focused on preventing security >> token export and replay attacks." >> >> If you're interested please join in. >> >> Thanks to Vinod and Andrei for agreeing to admin the list. >> >> We'll kick off discussion in a few days when folks have had >> a chance to subscribe. >> >> Cheers, >> S. >> >> PS: Please don't reply-all to this, join the new list, wait >> a few days and then say what you need to say:-) >> >> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf >> [2] https://www.ietf.org/mailman/listinfo/unbearable >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: [websec] unbearable - new mailing… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Phil Hunt
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Stephen Farrell
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Phil Hunt
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Stephen Farrell
- Re: [OAUTH-WG] [Unbearable] [http-auth] unbearabl… Phil Hunt