Re: [OAUTH-WG] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 06 December 2014 16:37 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436461A1B44; Sat, 6 Dec 2014 08:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2z7G-g-__hDJ; Sat, 6 Dec 2014 08:37:37 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id DABA91A0277; Sat, 6 Dec 2014 08:37:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4A652BF14; Sat, 6 Dec 2014 16:37:36 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDgfYUGTmNRA; Sat, 6 Dec 2014 16:37:33 +0000 (GMT)
Received: from [10.87.48.11] (unknown [86.46.31.148]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C193DBEFD; Sat, 6 Dec 2014 16:37:33 +0000 (GMT)
Message-ID: <548330CC.20906@cs.tcd.ie>
Date: Sat, 06 Dec 2014 16:37:32 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <5481E0A7.2090604@cs.tcd.ie> <2DF4B463-DD15-42BE-85AE-121C14E19A8F@oracle.com>
In-Reply-To: <2DF4B463-DD15-42BE-85AE-121C14E19A8F@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jE0YGi_2UaIOklsRQV1BnkktV8w
Cc: unbearable@ietf.org, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [http-auth] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 16:37:39 -0000
Hi Phil, Good points that need discussing but I'd suggest we give the new list a few days to allow folks to subscribe and then have that discussion. Thanks, S. On 06/12/14 16:08, Phil Hunt wrote: > On the surface (as currently presented) this work appears to duplicate the POP work going on in OAuth. The key difference is that this work is focused on using ALPN to bind tokens to the TLS channel. From a use case perspective it is very close to OAuth POP, and a specific use case of the current OAuth POP (proof of possession) architecture. > > I note that the OAuth WG had originally dropped TLS binding in part because TLS was not always end-to-end in cases where load-balancers where used. The identified use-cases required end-to-end proof of possession (e.g. to prevent token re-use and relaying). > > Never-the-less, events and approaches change and this is worth discussing (again). > > I think the architectural/protocol issues around the use of load balancers have to be discussed as the current ALPN proposal may be unbearable for many. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > >> On Dec 5, 2014, at 8:43 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> >> >> Hiya, >> >> Following up on the presentation at IETF-91 on this topic, [1] >> we've created a new list [2] for moving that along. The list >> description is: >> >> "This list is for discussion of proposals for doing better than bearer >> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. >> The specific goal is chartering a WG focused on preventing security >> token export and replay attacks." >> >> If you're interested please join in. >> >> Thanks to Vinod and Andrei for agreeing to admin the list. >> >> We'll kick off discussion in a few days when folks have had >> a chance to subscribe. >> >> Cheers, >> S. >> >> PS: Please don't reply-all to this, join the new list, wait >> a few days and then say what you need to say:-) >> >> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf >> [2] https://www.ietf.org/mailman/listinfo/unbearable >> >> _______________________________________________ >> http-auth mailing list >> http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth > >
- [OAUTH-WG] Fwd: [websec] unbearable - new mailing… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Phil Hunt
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… John Bradley
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: [websec] unbearable - new mai… Stephen Farrell
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Phil Hunt
- Re: [OAUTH-WG] [http-auth] unbearable - new maili… Stephen Farrell
- Re: [OAUTH-WG] [Unbearable] [http-auth] unbearabl… Phil Hunt