Re: [OAUTH-WG] Future of PoP Work
"Phil Hunt (IDM)" <phil.hunt@oracle.com> Wed, 19 October 2016 19:18 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78B31296AF for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.633
X-Spam-Level:
X-Spam-Status: No, score=-4.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDA_E1tB9jTF for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2016 12:18:50 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B81B129665 for <oauth@ietf.org>; Wed, 19 Oct 2016 12:18:49 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9JJIkga019167 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 19 Oct 2016 19:18:46 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id u9JJIja3029519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 19 Oct 2016 19:18:46 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u9JJIe9B011808; Wed, 19 Oct 2016 19:18:41 GMT
Received: from [10.0.1.4] (/24.86.208.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 19 Oct 2016 12:18:39 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14A456)
In-Reply-To: <CO2PR03MB23588AC1D7A56A3A525FF1FDF5D20@CO2PR03MB2358.namprd03.prod.outlook.com>
Date: Wed, 19 Oct 2016 12:18:36 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B98FAA3-F0A9-409A-9975-6C5D7C2E59AE@oracle.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <CO2PR03MB23588AC1D7A56A3A525FF1FDF5D20@CO2PR03MB2358.namprd03.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LaJNpHXj2EBupKY4XIp3fZdWsXc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 19:18:52 -0000
While the tokbind seems strategic, there are concerns about universality. A chief barrier is getting all tls termination points to support - a matter of substantial time. There are also those that argue that we still need an app layer end-to-end solution that pop provides. That said, I am not sure pop is that useful without some form of request/response signing solution. I hate to say this but maybe we have to go with some form of encapsulation? Eg a signed http request within an http request? Ugh! Phil > On Oct 19, 2016, at 12:04 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > > 1. We should continue the PoP work in the OAuth working group and not move it to ACE. (This was also discussed in the minutes at https://www.ietf.org/proceedings/96/minutes/minutes-96-oauth.) > > 2. We should abandon the HTTP signing work. It is both overly complicated *and* incomplete - not a good combination. This same combination is what let people to abandon OAuth 1.0 in favor of WRAP and later OAuth 2.0. We should learn from our own mistakes. ;-) > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Wednesday, October 19, 2016 2:45 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] Future of PoP Work > > Hi all, > > two questions surfaced at the last IETF meeting, namely > > 1) Do we want to proceed with the symmetric implementation of PoP or, alternatively, do we want to move it over to the ACE working group? > > 2) Do we want to continue the work on HTTP signing? > > We would appreciate your input on these two questions. > > Ciao > Hannes & Derek > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Future of PoP Work Hannes Tschofenig
- Re: [OAUTH-WG] Future of PoP Work Mike Jones
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Brian Campbell
- Re: [OAUTH-WG] Future of PoP Work Anthony Nadalin
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Ludwig Seitz
- Re: [OAUTH-WG] Future of PoP Work Samuel Erdtman
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Blue Teazzers