I agree with Tony, if I understand what he's saying. https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> was largely a straw-man to get the conversation started. But after talking with people in Berlin, reviewing Dirk's document, and thinking about it some more - it's not clear that PKCE is a great fit for token binding the authorization code.
Token binding the authorization code is, I think, something we want to account for. But using/extending PKCE might not be the way to go about it. And whatever approach we land on should probably be just one part of the larger document on OAuth 2.0 Token Binding. On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <[email protected]> wrote: > I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token- > binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > but not sure that https://tools.ietf.org/html/ > draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > is a good starting point as we would want a more generic solution for PoP > tokens in general > > > > *From:* OAuth [mailto:[email protected]] *On Behalf Of *Brian > Campbell > *Sent:* Tuesday, August 16, 2016 11:45 AM > *To:* Hannes Tschofenig <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 > > > > Just a friendly reminder that the 'deadline' for this call for adoption is > tomorrow. > > > According to the minutes from Berlin > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, > 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were > against. > > > > On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < > [email protected]> wrote: > > Hi all, > > this is the call for adoption of the 'OAuth 2.0 Token Binding' document > bundle* following the positive call for adoption at the recent IETF > meeting in Berlin. > > Here are the links to the documents presented at the last IETF meeting: > https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > > Please let us know by August 17th whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Ciao > Hannes & Derek > > *: We will find out what the best document structure is later, i.e., > whether the content should be included in one, two or multiple documents. > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
