Re: [OAUTH-WG] Future of PoP Work
"Phil Hunt (IDM)" <phil.hunt@oracle.com> Mon, 24 October 2016 15:39 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEAD7129895 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Level:
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPSDdWEQXpdg for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:39:17 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81E2B1298BA for <oauth@ietf.org>; Mon, 24 Oct 2016 08:39:16 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u9OFdDVD021205 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 15:39:14 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id u9OFdDmM001313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2016 15:39:13 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u9OFdB9b024030; Mon, 24 Oct 2016 15:39:12 GMT
Received: from [25.58.75.121] (/24.114.102.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 24 Oct 2016 08:39:11 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-6537044A-84A2-4FF1-A6FF-B1A1E946DFDC"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14A456)
In-Reply-To: <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
Date: Mon, 24 Oct 2016 08:38:48 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <4158ACB0-929A-4DDC-B483-3D07D9AA7A5C@oracle.com>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu> <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MMJACE0DVHUSSSCSmMk5w_exjhU>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 15:39:20 -0000
Maybe if we reworked the signing doc so content types like xml and json could be signed? This would cover for the majority of web api cases. Wonder what the advice of the http wg would be on this. Phil > On Oct 24, 2016, at 8:29 AM, Samuel Erdtman <samuel@erdtman.se> wrote: > > +1 on doing PoP work in this working group, including HTTP signing/MACing, I don´t think the old HTTP signature document was that far from useful. > > With the ACE work I like when it is possible to just map work done in the OAuth and other working groups to the more optimized protocols. Some would maybe say that it is sub-optimal that the protocol was not initially designed for the constrained environment but I think the benefit of concept validation from web is a bigger plus. > > //Samuel > >> On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote: >> I believe that the PoP work should stay in the working group, and that without a usable presentation mechanism such as an HTTP message signature the whole work is pointless. I agree with Mike that we should learn from our own mistakes — and that is precisely the direction that the current HTTP signing draft took. As a result, the base level of functionality is signing the token itself (with a timestamp/nonce) using the key. All of the fiddly HTTP bits that trip people up? Not only are they optional, but it’s explicitly declared what’s covered. Why? Because we’re learning from past mistakes. >> >> I think that token binding is relying on a lot of “ifs” that aren’t real yet, and if those “ifs” become reality then it will be to the benefit of large internet companies over everyone else. Additionally, token binding in OAuth is far from the simple solution that it’s being sold as. The very nature of an access token goes against the original purpose of tying an artifact to a single presentation channel. OAuth clients in the real world need to be able to deal with multiple resource servers and dynamically deployed APIs, and the token binding protocol fundamentally assumes a world where two machines are talking directly to each other. >> >> All that said, this working group has consistently shown resistance to solving this problem for many years, so the results of this query don’t at all surprise me. >> >> — Justin >> >> > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> > >> > Hi all, >> > >> > two questions surfaced at the last IETF meeting, namely >> > >> > 1) Do we want to proceed with the symmetric implementation of PoP or, >> > alternatively, do we want to move it over to the ACE working group? >> > >> > 2) Do we want to continue the work on HTTP signing? >> > >> > We would appreciate your input on these two questions. >> > >> > Ciao >> > Hannes & Derek >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Future of PoP Work Hannes Tschofenig
- Re: [OAUTH-WG] Future of PoP Work Mike Jones
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Brian Campbell
- Re: [OAUTH-WG] Future of PoP Work Anthony Nadalin
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Ludwig Seitz
- Re: [OAUTH-WG] Future of PoP Work Samuel Erdtman
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Blue Teazzers