:-) Phil
> On Dec 6, 2014, at 08:37, Stephen Farrell <[email protected]> wrote: > > > > Hi Phil, > > Good points that need discussing but I'd suggest we give the new > list a few days to allow folks to subscribe and then have that > discussion. > > Thanks, > S. > >> On 06/12/14 16:08, Phil Hunt wrote: >> On the surface (as currently presented) this work appears to duplicate the >> POP work going on in OAuth. The key difference is that this work is focused >> on using ALPN to bind tokens to the TLS channel. From a use case perspective >> it is very close to OAuth POP, and a specific use case of the current OAuth >> POP (proof of possession) architecture. >> >> I note that the OAuth WG had originally dropped TLS binding in part because >> TLS was not always end-to-end in cases where load-balancers where used. The >> identified use-cases required end-to-end proof of possession (e.g. to >> prevent token re-use and relaying). >> >> Never-the-less, events and approaches change and this is worth discussing >> (again). >> >> I think the architectural/protocol issues around the use of load balancers >> have to be discussed as the current ALPN proposal may be unbearable for >> many. >> >> Phil >> >> @independentid >> www.independentid.com >> [email protected] >> >>> On Dec 5, 2014, at 8:43 AM, Stephen Farrell <[email protected]> >>> wrote: >>> >>> >>> Hiya, >>> >>> Following up on the presentation at IETF-91 on this topic, [1] >>> we've created a new list [2] for moving that along. The list >>> description is: >>> >>> "This list is for discussion of proposals for doing better than bearer >>> tokens (e.g. HTTP cookies, OAuth tokens etc.) for web applications. >>> The specific goal is chartering a WG focused on preventing security >>> token export and replay attacks." >>> >>> If you're interested please join in. >>> >>> Thanks to Vinod and Andrei for agreeing to admin the list. >>> >>> We'll kick off discussion in a few days when folks have had >>> a chance to subscribe. >>> >>> Cheers, >>> S. >>> >>> PS: Please don't reply-all to this, join the new list, wait >>> a few days and then say what you need to say:-) >>> >>> [1] https://tools.ietf.org/agenda/91/slides/slides-91-uta-2.pdf >>> [2] https://www.ietf.org/mailman/listinfo/unbearable >>> >>> _______________________________________________ >>> http-auth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/http-auth > > _______________________________________________ > Unbearable mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/unbearable _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
