Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Brian Campbell <bcampbell@pingidentity.com> Mon, 22 August 2016 21:02 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2627E12D58A for <oauth@ietfa.amsl.com>; Mon, 22 Aug 2016 14:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJxNzjCQF9Su for <oauth@ietfa.amsl.com>; Mon, 22 Aug 2016 14:02:31 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FA4712D80F for <oauth@ietf.org>; Mon, 22 Aug 2016 14:02:31 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id x131so110660610ite.0 for <oauth@ietf.org>; Mon, 22 Aug 2016 14:02:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZSbJtb/pRMQrgVKYNQFCYzeG2xMQmHOsigrIs0NnanU=; b=IPCBjtqf9Px4c3GhM5lzmNFfdigzmj0HnO7Yjvmc0+3ffoF/qIGnedFVY9icobf2BT L601jwiY4wvfvpRwe+LMandjhLhSkeZameNspWN98rWuZrxAs473rNNWFmkRZhlMLWwj XNPeT7QRX2D2NQPeRhQZF/WJM/WbP9iqUaL+s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZSbJtb/pRMQrgVKYNQFCYzeG2xMQmHOsigrIs0NnanU=; b=aYG//GDV6TuPLIFTKj6RdVFKag0Dio4kTWQHpXJvXXBeY4+ouLp0PlGeGzybKAEzMr c1WkDsIQt70r3Zx3MuCp6LAX+iOVKRVymezhQU4ni1m8rYmLoGEGIKphIY1h1n4I0z5j I64bgZUTaTPfuDT5kZHiM6MXZBXCuxmW7hwFkkm2NXn1Dwg8Uh6Y50teF8pSeYeyV5CC 2maU/WY5K4kSRd/niCqkSRwOxakvxiBs5n/uYluQIOfrY2inU+uIceofUS/qdALLgc50 vwq7DaUAEo4MXkObP9LVxv/7Q6mn0IIhHvMdD10S8c6bQ0T2v+UEMm2/HGNSvrZ7K87q x6KA==
X-Gm-Message-State: AEkooutFdB73nYYCrl97MHtiBuBSAHvT4rYp1bLk8vBA7k46wz2GNCMP7eO0THcytR8e3wF2RHMf5pbY/S+h8bpJ
X-Received: by 10.107.50.19 with SMTP id y19mr24882006ioy.174.1471899750948; Mon, 22 Aug 2016 14:02:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.123.14 with HTTP; Mon, 22 Aug 2016 14:02:00 -0700 (PDT)
In-Reply-To: <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com>
References: <33052033-0992-ceb8-4390-6837017b140e@gmx.net> <CA+k3eCROB7vkKqXe9XAQcYjpsif5SqNcW0vxLPnLGX_rxBhbEg@mail.gmail.com> <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 22 Aug 2016 15:02:00 -0600
Message-ID: <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="001a114469c4ccfde3053aaf5db3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TglaUj5ivHObkMTHaJqpNdl0Qjw>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2016 21:02:34 -0000
I agree with Tony, if I understand what he's saying. https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> was largely a straw-man to get the conversation started. But after talking with people in Berlin, reviewing Dirk's document, and thinking about it some more - it's not clear that PKCE is a great fit for token binding the authorization code. Token binding the authorization code is, I think, something we want to account for. But using/extending PKCE might not be the way to go about it. And whatever approach we land on should probably be just one part of the larger document on OAuth 2.0 Token Binding. On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <tonynad@microsoft.com> wrote: > I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token- > binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > but not sure that https://tools.ietf.org/html/ > draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > is a good starting point as we would want a more generic solution for PoP > tokens in general > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Tuesday, August 16, 2016 11:45 AM > *To:* Hannes Tschofenig <hannes.tschofenig@gmx.net> > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 > > > > Just a friendly reminder that the 'deadline' for this call for adoption is > tomorrow. > > > According to the minutes from Berlin > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, > 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were > against. > > > > On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > Hi all, > > this is the call for adoption of the 'OAuth 2.0 Token Binding' document > bundle* following the positive call for adoption at the recent IETF > meeting in Berlin. > > Here are the links to the documents presented at the last IETF meeting: > https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > > Please let us know by August 17th whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Ciao > Hannes & Derek > > *: We will find out what the best document structure is later, i.e., > whether the content should be included in one, two or multiple documents. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> > > >
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Dirk Balfanz
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… George Fletcher
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Mike Jones
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- [OAUTH-WG] Call for adoption: Token Binding for O… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… William Denniss
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Hannes Tschofenig