IETF Logo Mail Archive

[OAUTH-WG] Re: Deferred Key Binding / TMB

John Kemp <stable.pseudonym@gmail.com> Sat, 07 June 2025 13:51 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 116B332253E7 for <oauth@mail2.ietf.org>; Sat, 7 Jun 2025 06:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tFCW5PV8unea for <oauth@mail2.ietf.org>; Sat, 7 Jun 2025 06:51:51 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8DF3732253E2 for <oauth@ietf.org>; Sat, 7 Jun 2025 06:51:51 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-6fafaa60889so20912736d6.3 for <oauth@ietf.org>; Sat, 07 Jun 2025 06:51:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749304311; x=1749909111; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=XKbh7RsuFa3gAx5abO8Mk+zKH7WPCN7wIjVCoUc92xE=; b=N6GnAw/x48TNTenIC2cR6lhV446Et6dsIt+LRythKOcQ/httRlAylfz7cWqWE1Lwsl DIfyIHtgUizKA6NimMycWqHoHQNCjyylrDT6om5vHQ0vc2Sah8m0sueCvqkpHBtUkpwR wTCqoM0yQm30w1JNDMGzMra8VC62evztWFHUX7VwUdBo5FFORxXdStCfLg5LTbxpgTFq IhO+iLT06lgfg8MWjqyPYDEhfAWw5YAhPnMIAY5hXEaD0YhCIzRwwRuNsg/R5y+5m92W RwJRo996BaxbyQMWE3DpPGQgw9Vi5ZJJzBfr1Qu4+pl6Zrjr8X120su53olV4XPuu0ls SrFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749304311; x=1749909111; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XKbh7RsuFa3gAx5abO8Mk+zKH7WPCN7wIjVCoUc92xE=; b=ssgSoEOTmurMg+f5CQZcXgK7m9yTmmZd/m1bitmUIKzD6EtOYzi00kwccTYTqLaDj9 6hbj1YAZuR92LaOS4+KM8GFZaZAhqVs/ODJQTqXVzGZN6iP8EBWXsdYBwrHeYR0SJhA0 alWbF/7pnW4AQ3rYMWMoKQ6zPq65SY4tjvIzzs2hzfNYyerUgRJ/7QbdsT7Qvv7PbP88 RcJElhpwpKoq0ikdiGoOMl8jTtnSb3kHBEqO+I/PI7y725K7HD8NlnYr+8aqeLxtMyKx 0aUxvcP2SDhkLth1hAQQin2ADhXEfG5RgYbiwygWufwzR3GTDf1PdtYH3hfZttdWrAqe FY/A==
X-Forwarded-Encrypted: i=1; AJvYcCVVLDbUjb5hHfc8cgegOHQg0VQFqy1PI0LM92vta1vBaTM0hU4mifY0fVSUDxrUegF/zbggpw==@ietf.org
X-Gm-Message-State: AOJu0Yz03Da5b6JQudRioJKHfs3Vim6s8swTJ34fKSCS1/vOrh8ALk1I 9EivoecoTSapuEZnAXfc4y1JSRp3o1JDYpOhlt+Vk5H5O5YWmN1gPkDcYQPMLQ==
X-Gm-Gg: ASbGncveQ+ZptdSF9j5yF3379O71BRMTF1E2B9KMqjXXok+bwPhN3Pu5hD2+KlHMLaG P0T1c7FD7uQh8PSTMfO87xeVMn+tNpZgwyfPWeTokkAx5wuXn3WdP4sKr+pOE/qkwJXl/4HcOZO RQETn6mtbo1lgFKwBGd76wTFU2woZVW8Ew7i01FUcNpUSqGzyTGlvRwKAyEhYS57D0yx3qkR3zN +8WdWtA07M/lvShXP3Tg2INmXxWYkeBSHiGjjjtecqOXCPvVm4Dcys3/59M79GrD+rlIw8T4UxY QOLVyHst84m2ZCn13Vk9ZDRLInQu+qCXBYhvudjZcSipZHiYlVvXoDf2R+8xO2fo84DsH+gVMfd 02nDcXK/w5SS0En4DGvQ1HqBQLWKlWdK8+ojYtQ==
X-Google-Smtp-Source: AGHT+IENvrFeT/tUFBH9WZnbhYGN/JRUDVtyIBTR9hhL7xCiDQuk5nsIWL4syRR4Fu5w2v//hWpbeQ==
X-Received: by 2002:ad4:5ba4:0:b0:6fb:14:5e82 with SMTP id 6a1803df08f44-6fb08f8d348mr96747956d6.29.1749304311054; Sat, 07 Jun 2025 06:51:51 -0700 (PDT)
Received: from [192.168.1.157] (syn-066-066-241-066.res.spectrum.com. [66.66.241.66]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6fb09ab96d7sm29983686d6.21.2025.06.07.06.51.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Jun 2025 06:51:50 -0700 (PDT)
Message-ID: <fdcb60f9-3bc6-4aff-8c2e-3cf74d17f90d@gmail.com>
Date: Sat, 07 Jun 2025 09:51:50 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Justin Richer <jricher@MIT.EDU>, oauth <oauth@ietf.org>
References: <E40270D7-F032-49B1-9B10-87167331EA3C@mit.edu>
Content-Language: en-US
From: John Kemp <stable.pseudonym@gmail.com>
In-Reply-To: <E40270D7-F032-49B1-9B10-87167331EA3C@mit.edu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: QAHD6WCTKJDVTFEP2UZIZD3UWLNT2WAL
X-Message-ID-Hash: QAHD6WCTKJDVTFEP2UZIZD3UWLNT2WAL
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Deferred Key Binding / TMB
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EkV_aC3TjIxVezykOxclmqTvssk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Some initial feedback upon a quick read (with no background context for 
this issue):

[...]

> that up again and see if that interim can get scheduled soon. I’d
> also like to encourage people to read through the draft and open the
> discussion here on the list more.

* What is the point of using the word "deferred" in this case? Is the 
"key binding" made at some future time? Why? What value does that bring? 
Until when is it deferred?

* Might we enumerate the mechanisms by which you might "trust me, bruh" 
if not by PoP?

* How is this _not_ just effectively a bearer token then?

- johnk

El 06/05/25 a las 12:45, Justin Richer escribió:
> Hi Chairs and WG,
> 
> Back in Bangkok, we presented the draft https://datatracker.ietf.org/
> doc/draft-richer-oauth-tmb-claim/ that introduces, in a concrete
> way, the notion of getting a token bound to a key that you don’t
> possess. As we discussed, this is a topic that keeps coming up in
> the OAuth space and is usually dutifully pushed aside for the sake
> of simplicity (and some would argue sanity).
> 
> The chairs mentioned pulling together an interim meeting for the
> OAuth WG for us to discuss this topic ahead of Madrid, to see if
> there was anything more we as a community want to do with it. As
> we’re now more than halfway between the meetings, we wanted to bring
> that up again and see if that interim can get scheduled soon. I’d
> also like to encourage people to read through the draft and open the
> discussion here on the list more.
> 
> — Justin _______________________________________________ OAuth
> mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-
> leave@ietf.org

-- 
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudonym@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj

v2.31.3 | Report a Bug | By Email | System Status