Re: [OAUTH-WG] HOTK/POP/etc drafts

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 25 April 2014 10:08 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EF831A013D for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 03:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1AucP1S-5or for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 03:08:33 -0700 (PDT)
Received: from mail-ee0-x232.google.com (mail-ee0-x232.google.com [IPv6:2a00:1450:4013:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 7212D1A0139 for <oauth@ietf.org>; Fri, 25 Apr 2014 03:08:33 -0700 (PDT)
Received: by mail-ee0-f50.google.com with SMTP id c13so2687645eek.9 for <oauth@ietf.org>; Fri, 25 Apr 2014 03:08:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=wpDZ3SGCbhk0MXxAt10MvXSArrMpQy+cPNn1zJtDOHM=; b=ggYJgO+pAuDvO//5Cylr9lnK0/EYhOoWtnzvgilE45MBfR+h461Lq6fRq5JW02jKUJ yCeIkQT3SkeOoeOogQkLQThXPThDdKWtc/GytEs11y7zSn+dE2lwrgONUB0F5o9dmEl7 Y8R8OseEc4NGjXkWDhKnalPjKlXyhrGK8H61DQlt4xplmk79JrIiF/O+eHqRySxwQhR1 q1QIj503OvyNbVpRzJX8v2K8f69q/IS8UZ9/o6oAMHQouub/YcJs580ZzDV9ZKWZBGL2 eybRvezKfhOUNMJqY+qlFM1xUpcDVwyFv9tEgVi+y98k4crHCfcxdS9E9MObbkaGdmZT dilA==
X-Received: by 10.15.107.75 with SMTP id ca51mr9393eeb.103.1398420506708; Fri, 25 Apr 2014 03:08:26 -0700 (PDT)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id q41sm23575874eez.7.2014.04.25.03.08.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 03:08:26 -0700 (PDT)
Message-ID: <535A3418.6070703@gmail.com>
Date: Fri, 25 Apr 2014 11:08:24 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, oauth@ietf.org
References: <a5902fbd6bf44b5bb03d9ebf6da0bc33@DM2PR04MB735.namprd04.prod.outlook.com> <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net> <535A2D31.8090909@gmail.com> <535A2E7B.7010102@gmx.net>
In-Reply-To: <535A2E7B.7010102@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/9llfOwueBZTR11zwddFz8Rz8Nkg
Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 10:08:35 -0000

Hi Hannes
On 25/04/14 10:44, Hannes Tschofenig wrote:
> Hi Sergey,
>
> On 04/25/2014 11:38 AM, Sergey Beryozkin wrote:
>> Hopefully PoP model will not be made exclusive for JWT only, it won't be
>> very OAuth2 friendly IMHO...
>
> Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I
> just uses a JSON-based encoding of the parameters. I put a strawman
> proposal into the document.
>
> For the access token there is also no requirement to use JWTs. The use
> of a reference only (in combination with the token introspection) is one
> possible deployment option (which I still need to add to the overview
> document; I put a editor's note in the version of the document I
> submitted today).

Thanks for the clarifications, actually, 
draft-richer-oauth-signed-http-request-01 is quite cool, perhaps we will 
see the document in time for using JWE for encrypting HTTP payloads too. 
Looks like OAuth2 is going to affect a lot the way HTTP communications 
are done in the future.

Cheers, Sergey
>
> Ciao
> Hannes
>