IETF Logo Mail Archive

Re: [OAUTH-WG] End User Authentication using OAuth 2.0

John Bradley <ve7jtb@ve7jtb.com> Mon, 03 November 2014 20:07 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A941A871E for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 12:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.146
X-Spam-Level:
X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isL7GJ3pkcLk for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 12:07:35 -0800 (PST)
Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71D8D1A86F3 for <oauth@ietf.org>; Mon, 3 Nov 2014 12:07:35 -0800 (PST)
Received: by mail-qg0-f50.google.com with SMTP id a108so9217713qge.23 for <oauth@ietf.org>; Mon, 03 Nov 2014 12:07:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=U89+Pn0/Qv2yXaX/cqbKy/mq6L+OtO7kqK29YkK+qpc=; b=lIoprEDnO7ikTpieBAEueGBQ2p0VUR97B48YS0BlsUnJFUNlnOx6Gfia2EBl1WCp69 4ikbALm73AVUUrr2MVgN+sA11jrZvziSLQVjc697sTFJRJ6JonpJeo3Rn4+LVbrb+JWe tUONesv9d+2ader6MdAl0LtOEhTXKMX68jeA3TNh59WZHERHr/xmnZD2oY6ac9V/VRYW SuvB8CerEfJtxDLH15ZsAeqiEYGaEk1GalVB4bOVbRem6RcQv52uVB+dsGykuxJHW75E TL3XQNDQmLaSqI5+ClMg/jEUoyjM2KjSYQa3Gf6nVs6/TqVTIWWnq57rmm/sWs9Ht59n 6BCA==
X-Gm-Message-State: ALoCoQk6JQsTQZCxM4Kjs495X9sixnoGZDcJDWJGmgUpXUM7TJRHH+/sdgukInGxH4umulz09SMV
X-Received: by 10.140.84.177 with SMTP id l46mr63754748qgd.100.1415045252465; Mon, 03 Nov 2014 12:07:32 -0800 (PST)
Received: from [192.168.1.216] (186-106-154-218.baf.movistar.cl. [186.106.154.218]) by mx.google.com with ESMTPSA id s12sm6898231qge.5.2014.11.03.12.07.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 03 Nov 2014 12:07:31 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <5C8B0A4B-6003-434B-9621-234FA3EA7F2A@adobe.com>
Date: Mon, 03 Nov 2014 17:07:25 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BCE9951-DB7E-4BD1-911F-504E7CE990C5@ve7jtb.com>
References: <545704EE.8080200@mit.edu> <5C8B0A4B-6003-434B-9621-234FA3EA7F2A@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/hLYaTn6T5C1i3lVYaAmHAZAshZU
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] End User Authentication using OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Nov 2014 20:07:38 -0000

Strictly speaking the JWT is signed by the  "iss"  identity provider's private key and validated by the client using the identity providers public key.

Though lots of documents talk about signing with "public keys" using the term more conceptually. 

You could say "signed by the private portion of the identity providers public key pair"   but it is a bit awkward.

John B.
On Nov 3, 2014, at 4:27 PM, Antonio Sanso <asanso@adobe.com> wrote:

> nice stuff Justin.
> Little nitpicking: is just me or this sounds a bit weird "signed by the identity provider's public key” ?
> 
> regards
> 
> antonio
> 
> 
> On Nov 3, 2014, at 5:30 AM, Justin Richer <jricher@MIT.EDU> wrote:
> 
>> As of earlier this evening, I've published the article that we've been working on about dealing with OAuth and end-user authentication. It's available here:
>> 
>> http://oauth.net/articles/authentication/
>> 
>> Huge thanks to everyone who commented on the text, both here on the list and last week at IIW. If there are edits to be made, either reply here or just make a pull request directly from GitHub. It's not an RFC, we can keep editing it. :)
>> 
>> In the process of putting this together for the site, I also created an "Articles" structure on the site so that if there are other topics we want to add, we (the community, not just the WG) can do so.
>> 
>> -- Justin
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email