Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...

John Bradley <ve7jtb@ve7jtb.com> Sat, 06 December 2014 10:09 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D992C1A9024 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 02:09:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVdGXXEMPO6e for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 02:09:09 -0800 (PST)
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F8941A9008 for <oauth@ietf.org>; Sat, 6 Dec 2014 02:09:08 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id k14so2753797wgh.9 for <oauth@ietf.org>; Sat, 06 Dec 2014 02:09:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=yke033efrb/aKgPcsNi36UHrzGuRN12M7SOp0oVLyYM=; b=TeVJiYO8M2UuJmeItipig0FdEIX/KM9sLiiOO3kZ2inXi1CvETuEDIymkWyyMZmtMW 4lfE5u7cu1dhVb2ZlenmZUwQCnREwS7y/U6olHk5YSXo7bWVVsMzADIwnd6T9am+RG4K Trkn+vgejWIxhLAdGa97R5ounoSAtbjq8y3xZcHeBzIxOA4qwQMd5p2ziMdffCdsq2NB YPLNXqJrbycdy+/x6JVcdO3UF+TiafR9WiX5gwebyg+KFnhxsEqnto6rEkB5ZS+Pdui1 XYwf9eRqmXt6DKkwOGw8rpAmev6iNOZPxXHHfqB8EjtdBjzHtCOJOwNrdmyVO6AkxHwA JXtg==
X-Gm-Message-State: ALoCoQlgYLvRONv5P6nBxbzf3DCguhryvhmySBT5/7eBRkPA4zUii6eY8MIFkVktiRBsb7VsdvS/
X-Received: by 10.194.93.5 with SMTP id cq5mr30205874wjb.84.1417860547621; Sat, 06 Dec 2014 02:09:07 -0800 (PST)
Received: from [10.47.81.9] (host86-187-113-78.range86-187.btcentralplus.com. [86.187.113.78]) by mx.google.com with ESMTPSA id kv6sm48127850wjb.9.2014.12.06.02.09.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Dec 2014 02:09:06 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_66344E10-0C22-4115-B732-E3A41BFA873E"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <5482CC20.4000202@gmx.net>
Date: Sat, 06 Dec 2014 07:09:04 -0300
Message-Id: <4FDB30EC-62D3-4C01-9EA0-1876BA1AC861@ve7jtb.com>
References: <5481E0A7.2090604@cs.tcd.ie> <548204B3.5050903@gmx.net> <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com> <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com> <5482CC20.4000202@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wJhwEhVSJx1TTfe5aXPqCx6CThk
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 10:09:12 -0000

They have examples of how it could be used in OAuth and Connect.  They didn't look at what we were doing with PoP so the examples don't line up.

That is why it is important to keep on top of this so that it is the OAuth WG that is defining how this binding mechanism is used in OAuth and JWT.

The specs themselves are, or should be independent of token type.

We have been waiting for TLS to produce this for around 4 years now.   It is not really new work, mostly a change of venue to make progress.

All of this was discussed at the last IETF meeting.  I thought a significant number of people from the OAuth WG were in the room.

John B.
> On Dec 6, 2014, at 6:28 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
> I agree with Phil. As currently described it replicates a lot of the
> work we have done in PoP.
> 
> Ciao
> Hannes
> 
> On 12/06/2014 09:52 AM, John Bradley wrote:
>> No,  this is the the work formerly known as origin bound certificates & Channel ID.   We need this to bind id_tokens and or access tokens to TLS sessions.
>> 
>> So it is an alternative TLS binding mechanism.   We still need to describe how to use it with OAuth and JWT.
>> 
>> It is a building block we can use for PoP.
>> 
>> John B.
>>> On Dec 5, 2014, at 10:48 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>> 
>>> Doesn't that duplicate our current work?
>>> 
>>> Phil
>>> 
>>>> On Dec 5, 2014, at 11:17, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -------- Forwarded Message --------
>>>> Subject: [websec] unbearable - new mailing list to discuss better than
>>>> bearer tokens...
>>>> Date: Fri, 05 Dec 2014 16:43:19 +0000
>>>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>>> Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie>
>>>> To: saag@ietf.org <saag@ietf.org>, websec <websec@ietf.org>,
>>>> uta@ietf.org <uta@ietf.org>, ietf-http-wg@w3.org Group
>>>> <ietf-http-wg@w3.org>, http-auth@ietf.org <http-auth@ietf.org>
>>>> 
>>>> 
>>>> Hiya,
>>>> 
>>>> Following up on the presentation at IETF-91 on this topic, [1]
>>>> we've created a new list [2] for moving that along. The list
>>>> description is:
>>>> 
>>>> "This list is for discussion of proposals for doing better than bearer
>>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications.
>>>> The specific goal is chartering a WG focused on preventing security
>>>> token export and replay attacks."
>>>> 
>>>> If you're interested please join in.
>>>> 
>>>> Thanks to Vinod and Andrei for agreeing to admin the list.
>>>> 
>>>> We'll kick off discussion in a few days when folks have had
>>>> a chance to subscribe.
>>>> 
>>>> Cheers,
>>>> S.
>>>> 
>>>> PS: Please don't reply-all to this, join the new list, wait
>>>> a few days and then say what you need to say:-)
>>>> 
>>>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf
>>>> [2] https://www.ietf.org/mailman/listinfo/unbearable
>>>> 
>>>> _______________________________________________
>>>> websec mailing list
>>>> websec@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/websec
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>