Nat had reviewed Yaron's and my proposal and encouraged us to proceed with it.
Yes, it's intentionally general and not OAuth specific (just like SWTs were).
The JWT token type will have uses outside OAuth. Dirk and we agree that we
need to come up with a unified JSON token spec.
Later today I'll write up a set of comments on the differences between Dirk's
proposal and the JWT one as they stand today to kick-start the discussions of
specifics.
Cheers,
-- Mike
From: [email protected] [mailto:[email protected]] On Behalf Of David
Recordon
Sent: Monday, September 27, 2010 9:24 AM
To: Anthony Nadalin
Cc: oauth
Subject: Re: [OAUTH-WG] OAuth Signature Draft Pre 00
Mike and Yaron's proposal is different from Nat's though. Nat's is based
directly around OAuth versus explicitly defining a separate signing mechanism
and then a second spec to map it into OAuth. It also supports fewer options (no
unsigned tokens for example) which makes it easier to understand within this
context. Dirk's now seems to be four specs which then reference Magic
Signatures for the underlying signing.
On Mon, Sep 27, 2010 at 9:17 AM, Anthony Nadalin
<[email protected]<mailto:[email protected]>> wrote:
So we have been working with Nat on the signature proposal and talking to Nat
he agrees that the JWT proposal is well under way, what I would like to make
sure is that we merged in with your proposal
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>] On Behalf Of
Dirk Balfanz
Sent: Monday, September 27, 2010 9:13 AM
To: David Recordon
Cc: oauth
Subject: Re: [OAUTH-WG] OAuth Signature Draft Pre 00
I'm just as confused :-) I think what happened is that I posted a signature
draft and then didn't follow up. Nat then very kindly agreed to help and put
out a draft, but that also didn't get much momentum. So I went back and re-did
my drafts. Also, somewhere along the way, Yoran wrote a draft. At least that's
what it looks like from where I'm sitting. I might be getting it wrong (maybe
Yoran's draft represents a merge of his and Nat's thinking? - I'm not sure).
At any rate, of course we need to end up with one proposal in the end. I'm
fairly agnostic about the details, but I believe the following should be true
about any merged proposal:
- very limited number of options for signature algorithms, key representations
(should not require more than 10..20 lines of code in your given platform,
without any additional library, to implement signature and key parsing).
- must support both public and symmetric keys.
- should not have security flaws
Dirk.
On Mon, Sep 27, 2010 at 6:59 AM, David Recordon
<[email protected]<mailto:[email protected]>> wrote:
I'm a bit confused between the relationship of Nat's I-D and the documents you
and Mike recently posted. Is the goal to have one I-D? Nat's seems to have
fewer options and different modes which makes it easier to read and understand.
On Mon, Aug 30, 2010 at 11:47 AM, Yaron Goland
<[email protected]<mailto:[email protected]>> wrote:
BTW, Nat and I, as mentioned below, are talking. Here is my current draft.
Please keep in mind that it's really just a set of notes trying to capture all
the issues involved in creating a secure token format so it's a bit dense. My
hope is that once all the issues are captured it can be completely re-written
to be in something that looks more like English and is easier for actual
implementers to follow. But for now I think it gives a good sense of the some
of the security challenges in creating a secure token format.
Yaron
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>] On Behalf Of Nat
Sakimura
Sent: Tuesday, August 24, 2010 6:50 AM
To: oauth
Subject: [OAUTH-WG] OAuth Signature Draft Pre 00
Hi.
It has been a few weeks since then I volunteered to do this work.
I have written up to this pre 00 draft then have been doing some reality checks
on some script languages etc.
No. This pre-00 draft is far from being feature complete.
I still need to copy and paste the Magic Signatures text etc.
Also, I should add how this spec is being used in some of the major flows.
However, since I will not be able to work on it this week, I thought it would
be worthwhile to share this early draft so that you have some clarity into the
progress.
Apparently, Yaron has been working on it as well. We will compare the notes and
try to merge, I hope.
So, here it is!
#For those of you who have seen the private draft, it has not been changed
since July 31.
Best,
=nat
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
