Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 23 August 2016 14:58 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC4B12DB36 for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 07:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.612
X-Spam-Level:
X-Spam-Status: No, score=-0.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4JV1yI4Zt_9l for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 07:58:05 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F28212D9C8 for <oauth@ietf.org>; Tue, 23 Aug 2016 07:36:07 -0700 (PDT)
Received: from [37.58.176.162] (helo=[172.16.2.26]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1bcCo8-0006vT-EW; Tue, 23 Aug 2016 16:36:04 +0200
To: Brian Campbell <bcampbell@pingidentity.com>, Anthony Nadalin <tonynad@microsoft.com>
References: <33052033-0992-ceb8-4390-6837017b140e@gmx.net> <CA+k3eCROB7vkKqXe9XAQcYjpsif5SqNcW0vxLPnLGX_rxBhbEg@mail.gmail.com> <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com> <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-ID: <57BC5F52.5040704@lodderstedt.net>
Date: Tue, 23 Aug 2016 16:36:02 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040207080001000008020706"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XXc-c6cDO1m0rQtRs1lYZkalkis>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 14:58:09 -0000
+1 I would also propose to focus use of token binding to detect replay of tokens (access, refresh, code) Am 22.08.2016 um 23:02 schrieb Brian Campbell: > I agree with Tony, if I understand what he's saying. > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > was largely a straw-man to get the conversation started. But after > talking with people in Berlin, reviewing Dirk's document, and thinking > about it some more - it's not clear that PKCE is a great fit for token > binding the authorization code. > > Token binding the authorization code is, I think, something we want to > account for. But using/extending PKCE might not be the way to go > about it. And whatever approach we land on should probably be just one > part of the larger document on OAuth 2.0 Token Binding. > > On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin > <tonynad@microsoft.com <mailto:tonynad@microsoft.com>> wrote: > > I’m OK with the > https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > but not sure that > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > is a good starting point as we would want a more generic solution > for PoP tokens in general > > *From:*OAuth [mailto:oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>] *On Behalf Of *Brian Campbell > *Sent:* Tuesday, August 16, 2016 11:45 AM > *To:* Hannes Tschofenig <hannes.tschofenig@gmx.net > <mailto:hannes.tschofenig@gmx.net>> > *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for > OAuth 2.0 > > Just a friendly reminder that the 'deadline' for this call for > adoption is tomorrow. > > > According to the minutes from Berlin > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, > 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 > were against. > > On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > > Hi all, > > this is the call for adoption of the 'OAuth 2.0 Token Binding' > document > bundle* following the positive call for adoption at the recent > IETF > meeting in Berlin. > > Here are the links to the documents presented at the last IETF > meeting: > https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > > Please let us know by August 17th whether you accept / object > to the > adoption of this document as a starting point for work in the > OAuth > working group. > > Ciao > Hannes & Derek > > *: We will find out what the best document structure is later, > i.e., > whether the content should be included in one, two or multiple > documents. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Dirk Balfanz
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… George Fletcher
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Mike Jones
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- [OAUTH-WG] Call for adoption: Token Binding for O… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Brian Campbell
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption: Token Binding f… William Denniss
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… John Bradley
- Re: [OAUTH-WG] Call for adoption: Token Binding f… Hannes Tschofenig