IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 06 December 2014 09:28 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341071A1A25 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 01:28:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1HcZPMrNLt9 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 01:28:07 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 504721A0197 for <oauth@ietf.org>; Sat, 6 Dec 2014 01:28:07 -0800 (PST)
Received: from [192.168.131.135] ([80.92.119.109]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MH07e-1Y9tER3aeA-00Drfb; Sat, 06 Dec 2014 10:28:02 +0100
Message-ID: <5482CC20.4000202@gmx.net>
Date: Sat, 06 Dec 2014 10:28:00 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
References: <5481E0A7.2090604@cs.tcd.ie> <548204B3.5050903@gmx.net> <B1060536-0FC9-4153-B7A7-6779F12CE9F7@oracle.com> <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com>
In-Reply-To: <6E5265E8-B017-4757-ACAC-6754A30CCC81@ve7jtb.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="K7CCqOp0ncbj4dG76QDL4fB7OdBswGNtl"
X-Provags-ID: V03:K0:p3mJEqbawX4d73RkjX+yPutHtrrm+3DR42POh2F16uNTCj/aLMG rLhvWDZCCnD/hVzOG7fygpDppfhWTIazuirboa6UQxFEequ28JK4Q16CLyDCZWB4bFLS0s2 sd+bEDVi5t+mSiz87ewrRT2lyL8S1ROkm2n6Mvl7Q1VvjeFQVvC916oeO4A2SuRhFIAgr8N ymTg0R1Yt7sNsXUHuXjfg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yMjgMGDFGZEdU3bu1j-IF5RSwic
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: [websec] unbearable - new mailing list to discuss better than bearer tokens...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 09:28:10 -0000

I agree with Phil. As currently described it replicates a lot of the
work we have done in PoP.

Ciao
Hannes

On 12/06/2014 09:52 AM, John Bradley wrote:
> No,  this is the the work formerly known as origin bound certificates & Channel ID.   We need this to bind id_tokens and or access tokens to TLS sessions.
> 
> So it is an alternative TLS binding mechanism.   We still need to describe how to use it with OAuth and JWT.
> 
> It is a building block we can use for PoP.
> 
> John B.
>> On Dec 5, 2014, at 10:48 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>> Doesn't that duplicate our current work?
>>
>> Phil
>>
>>> On Dec 5, 2014, at 11:17, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: [websec] unbearable - new mailing list to discuss better than
>>> bearer tokens...
>>> Date: Fri, 05 Dec 2014 16:43:19 +0000
>>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>>> Reply-To: Stephen Farrell <Stephen.Farrell@cs.tcd.ie>
>>> To: saag@ietf.org <saag@ietf.org>, websec <websec@ietf.org>,
>>> uta@ietf.org <uta@ietf.org>, ietf-http-wg@w3.org Group
>>> <ietf-http-wg@w3.org>, http-auth@ietf.org <http-auth@ietf.org>
>>>
>>>
>>> Hiya,
>>>
>>> Following up on the presentation at IETF-91 on this topic, [1]
>>> we've created a new list [2] for moving that along. The list
>>> description is:
>>>
>>> "This list is for discussion of proposals for doing better than bearer
>>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications.
>>> The specific goal is chartering a WG focused on preventing security
>>> token export and replay attacks."
>>>
>>> If you're interested please join in.
>>>
>>> Thanks to Vinod and Andrei for agreeing to admin the list.
>>>
>>> We'll kick off discussion in a few days when folks have had
>>> a chance to subscribe.
>>>
>>> Cheers,
>>> S.
>>>
>>> PS: Please don't reply-all to this, join the new list, wait
>>> a few days and then say what you need to say:-)
>>>
>>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf
>>> [2] https://www.ietf.org/mailman/listinfo/unbearable
>>>
>>> _______________________________________________
>>> websec mailing list
>>> websec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/websec
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status