[Txauth] (no subject)
Dick Hardt <dick.hardt@gmail.com> Wed, 29 July 2020 17:07 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 782163A0CF3 for <txauth@ietfa.amsl.com>; Wed, 29 Jul 2020 10:07:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMOXxOX2EZxD for <txauth@ietfa.amsl.com>; Wed, 29 Jul 2020 10:07:26 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53CE83A0D20 for <txauth@ietf.org>; Wed, 29 Jul 2020 10:07:21 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id i19so13428140lfj.8 for <txauth@ietf.org>; Wed, 29 Jul 2020 10:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=o3q9jFIbAvt+SpCdZ2zuB6x5ZEbkqPNI11YMVK+szeQ=; b=p5hxIGvE5Dj9ZdNOrqF1F3vt/Z78U5YGMQMGlnvKfeEuN9D0F2mq4tlOkCexKdJphQ OrwDF+f0TIP+77g673wIO0nhRA8+58RdVGJd5+dE279PxyzuI9AaO+vHeP/EHdjdcYnc 8xNQ1GJtJYpzi0InfyJ83fEV1pKwV3jCOp9/LDQ76h9GEQL1wavZeZhpl++m7VrLgNOr HE77THP7pn1YTTowgsLZolnwinMdNP0A32cnbAfQwCRoPrxMMAJOllT4Ngs6zgdVd3S+ A3A/Qs6W0ORsUB6xysA3L2O6c+yML6rlTwta1Z1bAIoVipcog1Fw6vfTDPSVYT0jaLof l9Xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=o3q9jFIbAvt+SpCdZ2zuB6x5ZEbkqPNI11YMVK+szeQ=; b=ADwihpTzlbQERY6VYdrBjttXMX2hgrplaWKsc/YQdzuDMS87nhqSjnhAmMt2SeesNJ 4eysDKuuRSmOKTeC3iCpRbEVFaDor/STIFmOvPCCYyJuPdGJYp268iV03yDTdcDnbZfI kgoGAZwxOQNzeEk5YK9U99pDk89zrveDxnTkI2KMga3oX9rLzkOuwrA+/3Z084qJIp9p YHVgNvWpkCJ1KsWaUVljLG33lSWi60stfS8ikFAyYS1jTOfuUN0K+D1Tg1rrsLg9vQs7 mSUfX7UD63wqpSZ6B2I2klOhiVkLhvges45MXrU/gfPs2Tta7q+VOtqkCz7HjzhrLZNF 1YQQ==
X-Gm-Message-State: AOAM530g73Pu/BrKm12gEXie4H61VKvPFpbWMKay3oXyDkfyuAm1f8tg kpTUCiTyE8wYQTTXsbAP+VGmvv2d5WRso8t/LeY3l34H8tE=
X-Google-Smtp-Source: ABdhPJxJ8q5VOAhcRJOHPVRtFn/5hVBKo8BPr75EjbYwXjp+WP4t4ucwcWfc/Xcgd0fHpwnJLjHr0jTcyS9CaS871zc=
X-Received: by 2002:a19:8044:: with SMTP id b65mr17729539lfd.91.1596042439249; Wed, 29 Jul 2020 10:07:19 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 29 Jul 2020 10:06:42 -0700
Message-ID: <CAD9ie-t5b7L_JJrtAYowXNDdTVopej-vCy=OoWEaawgBngKLJQ@mail.gmail.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a3558705ab9796c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/pD7xFrZGtxu6qQgLB7SzwU4gVfs>
Subject: [Txauth] (no subject)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:07:29 -0000
Hey Kathleen A couple questions on your presentation: 1) Which versions of the documents did you review? 2) Would you elaborate on your security comparisons of XAuth and XYZ? I want to make sure I understand the work you put into your review. While reviewing your slides, I was not following a number of your statements. For example: In your first slide: A) you stated that "XAuth Relies heavily on OAuth2.0, using Bearer token and adding cryptographic (e.g.JOSE) functions after-the-fact". Both XAuth and XYZ support bearer tokens for calling an RS. I'm not clear how this feature is different in XAuth. B) What parts of XYZ did you view as "Builds security into the protocol as opposed to adding it in later (e.g. OAuth2.0 bearer token + JWT)"? C) "Interaction flows defined, focus more on security with cryptographic requirements and examples included" -- there some cryptography in the redirect flow, but not in the others. In my opinion, the cryptography in the redirect flow does not add any value, and just complicates the protocol. Perhaps you can point to sections in each draft? Thanks! /Dick
- [Txauth] (no subject) Dick Hardt
- Re: [Txauth] (no subject) Kathleen Moriarty
- Re: [Txauth] Kathleen's review Dick Hardt
- Re: [GNAP] [Txauth] Kathleen's review Tom Jones
- Re: [GNAP] [Txauth] Kathleen's review Justin Richer
- Re: [GNAP] [Txauth] Kathleen's review Tom Jones