Re: [OAUTH-WG] HOTK/POP/etc drafts

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 25 April 2014 09:55 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B9D1A013B for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 02:55:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eudl8BQzMdlW for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 02:55:25 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id B0FDA1A013D for <oauth@ietf.org>; Fri, 25 Apr 2014 02:55:24 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M0Kp7-1WucP20NED-00uX8V; Fri, 25 Apr 2014 11:55:17 +0200
Message-ID: <535A2E7B.7010102@gmx.net>
Date: Fri, 25 Apr 2014 11:44:27 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Sergey Beryozkin <sberyozkin@gmail.com>, oauth@ietf.org
References: <a5902fbd6bf44b5bb03d9ebf6da0bc33@DM2PR04MB735.namprd04.prod.outlook.com> <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net> <535A2D31.8090909@gmail.com>
In-Reply-To: <535A2D31.8090909@gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s07k6ku9GxgKp4abGJIFaM7dhdpSjEjtQ"
X-Provags-ID: V03:K0:aIUEwOi4aZjrytTKZTkPQlXJkvUFg+3yu2cKsn44rE/YCypf0uE PT3d7IDBGxA88/uKvo7SFpXFAEcoLT08pUJI2ZsPlIW9+x0WBXJJUs8qJewkM7rQ71mre8N 9ePq41ZO7QiO7k7+m80m2UJTeQr5lo1bxc0dOmhgUnDSvpiFBtADGYxX7TyQCwT+E9a0jS4 aVOP6da83BtKZFN9yx1zw==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_76_9B_izbx4iVMDLgs7rh5Qdt8
Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 09:55:28 -0000

Hi Sergey,

On 04/25/2014 11:38 AM, Sergey Beryozkin wrote:
> Hopefully PoP model will not be made exclusive for JWT only, it won't be
> very OAuth2 friendly IMHO...

Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I
just uses a JSON-based encoding of the parameters. I put a strawman
proposal into the document.

For the access token there is also no requirement to use JWTs. The use
of a reference only (in combination with the token introspection) is one
possible deployment option (which I still need to add to the overview
document; I put a editor's note in the version of the document I
submitted today).

Ciao
Hannes