Re: [OAUTH-WG] Future of PoP Work
Samuel Erdtman <samuel@erdtman.se> Mon, 24 October 2016 15:29 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030311298A1 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8AMHpS2pRdRv for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2016 08:29:21 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 244B91298A4 for <oauth@ietf.org>; Mon, 24 Oct 2016 08:29:20 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id x79so207006076lff.0 for <oauth@ietf.org>; Mon, 24 Oct 2016 08:29:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p3ocmvuIdxsBcQN+vHYjtPNAVt0USRMsHTGauO1hUfM=; b=dKm6nr9Lu1RvSmxFpUi+8XUZEEgB3+dC/7l52FzwncUUA8TMNzJa2Is4RgCP1kHCv/ zh4dB5l65NvCyzsqxHI9LqwrPWhj/YL160zx+GqBIvM3IV6v0s3I0msPeerWMXhN+tW/ 5u8C7QruSAFSUw+jkpT5wFAaCrHfZgiZ7bZnIwORMFdv4Hr+GgaW56CVeft7vN3NBAvv UFNlnljBF4cONqpAdgDfpemjPFaIcybLezi5EUmOqBg6H0RUwh42pEdfdH3OyDmxl/N+ dD/1/WIVJRJ7YiPeZIKTmecXT2hW6RVFPhXW3S49QtvBT30bXs05cFFYFZwtGpZwDbnI h+4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p3ocmvuIdxsBcQN+vHYjtPNAVt0USRMsHTGauO1hUfM=; b=ejFEScOnJS058i9TqiiUUciII6fNLLSPDKkq8bw1/EtHfNrkod7hS8VN6pRUY1yEgf 2tDFXEc0VOF7lY9Tu5pIM99SqcaLJJRXPQz7s7+nUgTDxqKH1fcM3JqR0IFVwNaF5gc5 NrcfYKq86O6191JgHetCoKfqVjbOtEHdg8pp0QEnYn/AvwXtDmFWSxzxIb/CKFo5bbLu EiFMXTKH0DCdwj4JSDwj0zND3WftFPBd35Lg5OWm/Llh4XzbKjrqNTTakLKpDSBkLemd 3frgWsme06tyNAGgIgn/QDdMDwPS7omplelgTxRVzYn/NBzlIliz/wd+fqVYl6txualt MmfA==
X-Gm-Message-State: ABUngvce23Bn08y8YFZDmaV8YDk5rWJxwZ6Y2t1I9hkPCT/qsS6HqsUdcq7BnEImhvZmRrxYsBl0D+tnWNP5eA==
X-Received: by 10.194.17.197 with SMTP id q5mr12463309wjd.115.1477322959021; Mon, 24 Oct 2016 08:29:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Mon, 24 Oct 2016 08:29:18 -0700 (PDT)
In-Reply-To: <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu>
References: <ef15c42a-e233-e148-4f38-ef7f75333c76@gmx.net> <72315511-98C7-4881-B349-CA32DACA9E96@mit.edu>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 24 Oct 2016 17:29:18 +0200
Message-ID: <CAF2hCbZh2jhVCBBqKexgcNyPj+fBMH5txoQz_7PY9FaY5nXF4w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="047d7b6dc5d03103f6053f9e0e48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rCpsSZxf5IbUD9THII-s45rMOvI>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Future of PoP Work
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 15:29:24 -0000
+1 on doing PoP work in this working group, including HTTP signing/MACing, I don´t think the old HTTP signature document was that far from useful. With the ACE work I like when it is possible to just map work done in the OAuth and other working groups to the more optimized protocols. Some would maybe say that it is sub-optimal that the protocol was not initially designed for the constrained environment but I think the benefit of concept validation from web is a bigger plus. //Samuel On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jricher@mit.edu> wrote: > I believe that the PoP work should stay in the working group, and that > without a usable presentation mechanism such as an HTTP message signature > the whole work is pointless. I agree with Mike that we should learn from > our own mistakes — and that is precisely the direction that the current > HTTP signing draft took. As a result, the base level of functionality is > signing the token itself (with a timestamp/nonce) using the key. All of the > fiddly HTTP bits that trip people up? Not only are they optional, but it’s > explicitly declared what’s covered. Why? Because we’re learning from past > mistakes. > > I think that token binding is relying on a lot of “ifs” that aren’t real > yet, and if those “ifs” become reality then it will be to the benefit of > large internet companies over everyone else. Additionally, token binding in > OAuth is far from the simple solution that it’s being sold as. The very > nature of an access token goes against the original purpose of tying an > artifact to a single presentation channel. OAuth clients in the real world > need to be able to deal with multiple resource servers and dynamically > deployed APIs, and the token binding protocol fundamentally assumes a world > where two machines are talking directly to each other. > > All that said, this working group has consistently shown resistance to > solving this problem for many years, so the results of this query don’t at > all surprise me. > > — Justin > > > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > > > Hi all, > > > > two questions surfaced at the last IETF meeting, namely > > > > 1) Do we want to proceed with the symmetric implementation of PoP or, > > alternatively, do we want to move it over to the ACE working group? > > > > 2) Do we want to continue the work on HTTP signing? > > > > We would appreciate your input on these two questions. > > > > Ciao > > Hannes & Derek > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Future of PoP Work Hannes Tschofenig
- Re: [OAUTH-WG] Future of PoP Work Mike Jones
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Brian Campbell
- Re: [OAUTH-WG] Future of PoP Work Anthony Nadalin
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Ludwig Seitz
- Re: [OAUTH-WG] Future of PoP Work Samuel Erdtman
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt (IDM)
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Phil Hunt
- Re: [OAUTH-WG] Future of PoP Work Justin Richer
- Re: [OAUTH-WG] Future of PoP Work Blue Teazzers