IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

William Denniss <wdenniss@google.com> Tue, 23 August 2016 19:54 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE6012D820 for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 12:54:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.259
X-Spam-Level:
X-Spam-Status: No, score=-1.259 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JPdx_kcvizGz for <oauth@ietfa.amsl.com>; Tue, 23 Aug 2016 12:54:16 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DD2E12DA57 for <oauth@ietf.org>; Tue, 23 Aug 2016 12:54:16 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id z8so79053515ywa.1 for <oauth@ietf.org>; Tue, 23 Aug 2016 12:54:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wZXzkAvhiWUbqrI5MLte8UU+gOPMzWwLXK2gWwRiXrk=; b=JIkPD1sUMgsPZnbAbq6vji86/W6lEKy9KzoaEJch3WqxE8QP1GHyyBqWqTFcWYrvBU 34RT44qVaiilawQIr7roYxbw3EjMHTtu4t1iLdghmjmHggMuKAHTsGdC3foLAx8E0b4q tUT/3Jvn1L7yg1kuGjvlBjOuzEtuHr2ffVxArxg0rTNeM8TlGzKqRqDGlzfOR3Up9vnP jbYAB+xN+ZLAmQhfpMkgHhp6Sa9HvD+uiuigfsYvieLKQDq9mbhKlH27IiDRFkkvWrpP v/uXuJRmdwbvTGQ77C+tCSkZyxepmJsiZva1PcZ7dLyhpZ8X3PJDx/p/2Cipse+3JLu5 kFqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wZXzkAvhiWUbqrI5MLte8UU+gOPMzWwLXK2gWwRiXrk=; b=STG0tqJniyMk/u0KRPrUjrzGnIGvZ5/t2TJN76Oq7oOBlfcc2gIzmo7zQS8aeLwerX slk0KvB5Sht3U2ERaE2aNLbHVA97VrmAJaU7BTpOOPOxb8iJ1qaBxFG0sq+DDitQ/59f jp0iijL3I/kZ1hCA/zuiZNVMWZsHwfbQ8P8QxgkWc//Q2saxmtOV440Xyxo2Vq0dthfa tgY2XTn+ixoNRpgfb29pVHK0UXiznRVpENccEFJftZEo2rZRxk2HbZa2Cx2K/gUPqb8s QoUsMtMwVGzMJNMzeaaOMm0swOQXYrX/nYh+TQ1y210a09oYLk+88y5sgq6utn32nB7m mrwQ==
X-Gm-Message-State: AEkoout6GTAPg+mdl3I7PzPn/4ZEuCZR7ejewOoYbteb6x5H2eGqeLruRtcgcEL3d2gAzSPIbYBfWQcqwsqFeEs/
X-Received: by 10.129.109.14 with SMTP id i14mr22405458ywc.4.1471982055430; Tue, 23 Aug 2016 12:54:15 -0700 (PDT)
MIME-Version: 1.0
References: <33052033-0992-ceb8-4390-6837017b140e@gmx.net> <CA+k3eCROB7vkKqXe9XAQcYjpsif5SqNcW0vxLPnLGX_rxBhbEg@mail.gmail.com> <DM5PR03MB24410E438754ABA6FFE20C4CA6130@DM5PR03MB2441.namprd03.prod.outlook.com> <CA+k3eCT4N=U36YRrPSrrPGnfejTxc-rKb6RDQRR+x=jUd5vpXQ@mail.gmail.com> <57BC5F52.5040704@lodderstedt.net>
In-Reply-To: <57BC5F52.5040704@lodderstedt.net>
From: William Denniss <wdenniss@google.com>
Date: Tue, 23 Aug 2016 19:54:05 +0000
Message-ID: <CAAP42hBxk+PELuq1o1sszFS0dfGcLt+4AWyNMmbzsiAHzrY6=A@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="001a114db696882d95053ac287a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/btsZvYsWQX8az18MbNGs130oDwc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 19:54:19 -0000

+1 to adopt.

I would like us to develop a unified approach and merge the current drafts.

On Tue, Aug 23, 2016 at 7:58 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> +1
>
> I would also propose to focus use of token binding to detect replay of
> tokens (access, refresh, code)
>
>
> Am 22.08.2016 um 23:02 schrieb Brian Campbell:
>
> I agree with Tony, if I understand what he's saying.
> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
> was largely a straw-man to get the conversation started. But after talking
> with people in Berlin, reviewing Dirk's document, and thinking about it
> some more - it's not clear that PKCE is a great fit for token binding the
> authorization code.
>
> Token binding the authorization code is, I think, something we want to
> account for.  But using/extending PKCE might not be the way to go about it.
> And whatever approach we land on should probably be just one part of the
> larger document on OAuth 2.0 Token Binding.
>
> On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
>> I’m OK with the
>> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
>> but not sure that
>> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
>> is a good starting point as we would want a more generic solution for PoP
>> tokens in general
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian
>> Campbell
>> *Sent:* Tuesday, August 16, 2016 11:45 AM
>> *To:* Hannes Tschofenig <hannes.tschofenig@gmx.net>
>> *Cc:* oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
>>
>>
>>
>> Just a friendly reminder that the 'deadline' for this call for adoption
>> is tomorrow.
>>
>>
>> According to the minutes from Berlin
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
>> 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were
>> against.
>>
>>
>>
>> On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig <
>> hannes.tschofenig@gmx.net> wrote:
>>
>> Hi all,
>>
>> this is the call for adoption of the 'OAuth 2.0 Token Binding' document
>> bundle* following the positive call for adoption at the recent IETF
>> meeting in Berlin.
>>
>> Here are the links to the documents presented at the last IETF meeting:
>> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
>> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
>>
>> Please let us know by August 17th whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>>
>> Ciao
>> Hannes & Derek
>>
>> *: We will find out what the best document structure is later, i.e.,
>> whether the content should be included in one, two or multiple documents.
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
>>
>>
>>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email