Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
Justin Richer <jricher@mit.edu> Tue, 07 March 2017 15:31 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66013126DFB for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2017 07:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0n9IU2Ujbh7D for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2017 07:31:05 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E53B3128B44 for <oauth@ietf.org>; Tue, 7 Mar 2017 07:30:59 -0800 (PST)
X-AuditID: 12074425-143ff70000005535-db-58bed232c20f
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id FF.00.21813.232DEB85; Tue, 7 Mar 2017 10:30:58 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v27FUweF001857; Tue, 7 Mar 2017 10:30:58 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v27FUte0004179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 7 Mar 2017 10:30:57 -0500
To: Nat Sakimura <n-sakimura@nri.co.jp>, oauth@ietf.org
References: <147067404527.23058.17317554291756036969.idtracker@ietfa.amsl.com> <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
From: Justin Richer <jricher@mit.edu>
Message-ID: <8ec702a8-2f13-09cb-6875-0ae6f1f7e366@mit.edu>
Date: Tue, 07 Mar 2017 10:30:51 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <05e001d29712$424a5960$c6df0c20$@nri.co.jp>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixCmqrGt0aV+Ewfw55ha7bh9htDj59hWb A5PHkiU/gcSv84wBTFFcNimpOZllqUX6dglcGYcP/mMseC9dsW/2a+YGxk+iXYycHBICJhJL Lx1nAbGFBNqYJCa8Ve1i5AKyNzBKHN48lxnCuc0ksWD7b7AqYYFAia1bNjOB2CIC5hL7r05k h+iukXh3czeYzSagKjF9TQtYDa+AlcSsz5sZQWwWARWJ2VO3g9WICsRI7O2/D1UjKHFy5hOw +ZwCFhKPToIs5uRgFrCVuDN3N5QtL7H97RzmCYz8s5C0zEJSNgtJ2QJG5lWMsim5Vbq5iZk5 xanJusXJiXl5qUW6Fnq5mSV6qSmlmxhBAcnuorqDcc5fr0OMAhyMSjy8H07tixBiTSwrrsw9 xCjJwaQkynuqByjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDd3B1CONyWxsiq1KB8mJc3BoiTO K67RGCEkkJ5YkpqdmlqQWgSTleHgUJLg3XABqFGwKDU9tSItM6cEIc3EwQkynAdoeNxFkOHF BYm5xZnpEPlTjIpS4rxNIM0CIImM0jy4XlDCSHh72PQVozjQK8K810CqeIDJBq77FdBgJqDB 2q57QQaXJCKkpBoYTdOfqZU+5dn15uIlF5lTG6R6bgT0ZZm6C31+dWKuy5WkKYu5F3GvErOT +r3r6rH6fc8bpb7Z2aYI9Ilt4O5xDq2Ks+CqvyD+4tN196hnT/jb0z9tO50zO3NPxZdQ6xRz Ha9lSUwPSy7lykewWlu/3X6yunrx07qfTIc9nAPuRq0su5PwJFtZiaU4I9FQi7moOBEAzQOc G/MCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/avUpvOMc0uK9lfBxXUeDkcLFu0Y>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 15:31:20 -0000
What you describe as your minimum case is what I intended to be the minimum case for this document. I opted to put the token inside the payload instead of a hash because then we wouldn't need an additional header to carry the token, and the client wouldn't be required to do an additional crypto operation outside of the JOSE process. -- Justin On 3/7/2017 2:13 AM, Nat Sakimura wrote: > Hi Justin, John, and Hannes > > Is there an appetite to change the draft in such a way as: > > - do not wrap access token itself. It could include at_hash though. > Rationale: Pop access token can be pretty large and I do not want to > double base64url encode. > - perhaps change ts to string to accommodate nonce like string. > > Essentially, what I want to do is not the http signing but just the pop > based > client authentication, which is very simple. > While I was writing it up, it occurred that if the above modification were > done, your draft will be a superset of what I wanted to do. > > My write up is here: http://bit.ly/oauth-jpop > > Financial API uses cases needs something like that. > (Another possibility is a sender confirmation.) > > Best, > > Nat Sakimura > > -- > PLEASE READ :This e-mail is confidential and intended for the > named recipient only. If you are not an intended recipient, > please notify the sender and delete this e-mail. > > >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of >> internet-drafts@ietf.org >> Sent: Tuesday, August 9, 2016 1:34 AM >> To: i-d-announce@ietf.org >> Cc: oauth@ietf.org >> Subject: [OAUTH-WG] I-D Action: > draft-ietf-oauth-signed-http-request-03.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Authorization Protocol of the IETF. >> >> Title : A Method for Signing HTTP Requests for OAuth >> Authors : Justin Richer >> John Bradley >> Hannes Tschofenig >> Filename : draft-ietf-oauth-signed-http-request-03.txt >> Pages : 13 >> Date : 2016-08-08 >> >> Abstract: >> This document a method for offering data origin authentication and >> integrity protection of HTTP requests. To convey the relevant data >> items in the request a JSON-based encapsulation is used and the JSON >> Web Signature (JWS) technique is re-used. JWS offers integrity >> protection using symmetric as well as asymmetric cryptography. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ >> >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03 >> >> >> Please note that it may take a couple of minutes from the time of > submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-ht… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signe… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signe… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signe… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signe… Justin Richer