On 09/17/2012 08:11 AM, Hannes Tschofenig wrote:
Since it is prefered to have long lived key shared between AS and RS in
this WG,
Is there any consideration for this key distribution and its security
requirements?
So far we have had only discussions regarding the standardization of the
AS<->RS server interaction in the context of the UMA work.
You may want to have a look at
http://tools.ietf.org/html/draft-hardjono-oauth-umacore
Not quite true. There's also the token introspection, like Ping has
published[1] or what AOL or MITRE have both implemented. You also have
to account for those using structured tokens (like JWTs) with signatures
to communicate using the token itself, analogous to SAML assertions.
When we brought it up during the re-chartering discussion, there seemed
to be a number of folks willing to work on publishing something in this
area.
-- Justin
[1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
