Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Tue, 23 August 2016 21:01 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B88C212D6A1 for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 14:01:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.611
X-Spam-Level:
X-Spam-Status: No, score=-0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uthucIif4CPN for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 14:01:40 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B3D912D0AF for <oauth@ietf.org>; Tue, 23 Aug 2016 14:01:40 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id l2so119335908qkf.3 for <oauth@ietf.org>; Tue, 23 Aug 2016 14:01:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3ZBvMRBr/62CPxaajBOmzJOURmF2ob4Fe3DcFy3i3IE=; b=aHswMhhgv288VySh+KbzHTZLA4SjBwTkro/0FzLors4LWphvlxpfepb2LVtRPKod8q WLUIV170/wBCf5hQYcu+OTywB4OpNinbrKoxfKEuW+dgX+glzgDREJnQ7F/DzgYZqPzA eWSAysk6aSyenSWZUhwv0i1OdGRdSNjQ2RkwDbJ/Vstts3gTbWOIMCkXqYcv2n95kKMz hAWZ47O/Zx7r+J13zfx6DXi+Y0YW2wWVZveaPxAhZbmkDKpxTx/gYERF8nYFeGAEX25g 08hY0aKB4YFbcWm7ItCccgSyAdEh9xu683oXFOLc6Pjig6PS5ovByu7rN4Ej0vE8eHlc pFkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3ZBvMRBr/62CPxaajBOmzJOURmF2ob4Fe3DcFy3i3IE=; b=V+8Kk7hEW+IgeL2/7rSIh4RzxVMeKkpD9dX5s1D4Xl39OFpItRB4/retqkOy014zow mLx3sZ/qxs1VTtnUxQuo+PZeckcZkv5AvrxDFqT/l683U8Lb9SiEFhdgo6XKhI/iVxY4 hK9+CjJVX4InN/xtqkSdk9wKwMj50iRgJwZCRkHUvqSxSDz4z7MUJdn1268C/yKw4OMv kqjkxnzX26SjX6tpwMkBPpI7zQQFcvZzTwPXTzGaPttcTy88VKy+ClrO2MCcXw+BiDty hBbIwqXXOkn1Ab3TG1+Sp/bmAR+0oCxAgUVFmiURIOlQNWI1rrJ15oQhDUzIBbrO4SiX SfQg==
X-Gm-Message-State: AE9vXwODCVvenMUZnCrAlu6/jtDyX0QshATb219d5qDakkHMhbnFyB66TIUkYGfly0nxxAmk/MrQv2EF+XUPS5nx
X-Received: by 10.55.42.76 with SMTP id q73mr2645678qkh.250.1471986099409; Tue, 23 Aug 2016 14:01:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.105.3 with HTTP; Tue, 23 Aug 2016 14:01:38 -0700 (PDT)
X-Originating-IP: [181.201.31.235]
In-Reply-To: <CAAP42hBxk+PELuq1o1sszFS0dfGcLt+4AWyNMmbzsiAHzrY6=A@mail.gmail.com>
References: <33052033-0992-ceb8-4390-6837017b140e@gmx.net> <CA+k3eCROB7vkKqXe9XAQcYjpsif5SqNcW0vxLPnLGX_rxBhbEg@mail.gmail.com> <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com> <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com> <57BC5F52.5040704@lodderstedt.net> <CAAP42hBxk+PELuq1o1sszFS0dfGcLt+4AWyNMmbzsiAHzrY6=A@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Tue, 23 Aug 2016 18:01:38 -0300
Message-ID: <CAANoGh+w8aS1JYt7agYY=uJcG7J=5rz-CKB7+T1HQvHVJ97CfQ@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary="001a1149611a92324d053ac37845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QtKkaTpqAZnMSDIhcoD-xVjgZ-8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 21:01:45 -0000
Yes I think merging the drafts and not reusing PKCE is the correct path. Protection for code in the browser redirect also needs to be added to fully protect the w On Aug 23, 2016, at 4:54 PM, William Denniss <wdenniss@google.com> wrote: +1 to adopt. I would like us to develop a unified approach and merge the current drafts. On Tue, Aug 23, 2016 at 7:58 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > +1 > > I would also propose to focus use of token binding to detect replay of > tokens (access, refresh, code) > > > Am 22.08.2016 um 23:02 schrieb Brian Campbell: > > I agree with Tony, if I understand what he's saying. > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > was largely a straw-man to get the conversation started. But after talking > with people in Berlin, reviewing Dirk's document, and thinking about it > some more - it's not clear that PKCE is a great fit for token binding the > authorization code. > > Token binding the authorization code is, I think, something we want to > account for. But using/extending PKCE might not be the way to go about it. > And whatever approach we land on should probably be just one part of the > larger document on OAuth 2.0 Token Binding. > > On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <tonynad@microsoft.com> > wrote: > >> I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token- >> binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> but not sure that https://tools.ietf.org/html/ >> draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> is a good starting point as we would want a more generic solution for PoP >> tokens in general >> >> >> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian >> Campbell >> *Sent:* Tuesday, August 16, 2016 11:45 AM >> *To:* Hannes Tschofenig < <hannes.tschofenig@gmx.net> >> hannes.tschofenig@gmx.net> >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 >> >> >> Just a friendly reminder that the 'deadline' for this call for adoption >> is tomorrow. >> >> >> According to the minutes from Berlin >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, >> 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were >> against. >> >> >> On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < >> <hannes.tschofenig@gmx.net>hannes.tschofenig@gmx.net> wrote: >> >> Hi all, >> >> this is the call for adoption of the 'OAuth 2.0 Token Binding' document >> bundle* following the positive call for adoption at the recent IETF >> meeting in Berlin. >> >> Here are the links to the documents presented at the last IETF meeting: >> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> >> Please let us know by August 17th whether you accept / object to the >> adoption of this document as a starting point for work in the OAuth >> working group. >> >> Ciao >> Hannes & Derek >> >> *: We will find out what the best document structure is later, i.e., >> whether the content should be included in one, two or multiple documents. >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> >> >> >> > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Dirk Balfanz
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… George Fletcher
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Mike Jones
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- [OAUTH-WG] Call for adoption: Token Binding for O… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… William Denniss
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Hannes Tschofenig