Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

Tue, 23 Aug 2016 08:02:09 -0700 

+1
I would also propose to focus use of token binding to detect replay of tokens (access, refresh, code) 

Am 22.08.2016 um 23:02 schrieb Brian Campbell:

I agree with Tony, if I understand what he's saying. 
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> 
was largely a straw-man to get the conversation started. But after 
talking with people in Berlin, reviewing Dirk's document, and thinking 
about it some more - it's not clear that PKCE is a great fit for token 
binding the authorization code.



Token binding the authorization code is, I think, something we want to 
account for.  But using/extending PKCE might not be the way to go 
about it. And whatever approach we land on should probably be just one 
part of the larger document on OAuth 2.0 Token Binding.



On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin 
<[email protected] <mailto:[email protected]>> wrote:


    I’m OK with the
    https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
    
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
    but not sure that
    https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
    
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
    is a good starting point as we would want a more generic solution
    for PoP tokens in general

    *From:*OAuth [mailto:[email protected]
    <mailto:[email protected]>] *On Behalf Of *Brian Campbell
    *Sent:* Tuesday, August 16, 2016 11:45 AM
    *To:* Hannes Tschofenig <[email protected]
    <mailto:[email protected]>>
    *Cc:* [email protected] <mailto:[email protected]>
    *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for
    OAuth 2.0

    Just a friendly reminder that the 'deadline' for this call for
    adoption is tomorrow.


    According to the minutes from Berlin
    
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
    13 people were in favor of adopting OAuth 2.0 Token Binding and 0
    were against.

    On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig
    <[email protected] <mailto:[email protected]>> wrote:

        Hi all,

        this is the call for adoption of the 'OAuth 2.0 Token Binding'
        document
        bundle* following the positive call for adoption at the recent
        IETF
        meeting in Berlin.

        Here are the links to the documents presented at the last IETF
        meeting:
        https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
        
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
        https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
        
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>

        Please let us know by August 17th whether you accept / object
        to the
        adoption of this document as a starting point for work in the
        OAuth
        working group.

        Ciao
        Hannes & Derek

        *: We will find out what the best document structure is later,
        i.e.,
        whether the content should be included in one, two or multiple
        documents.


        _______________________________________________
        OAuth mailing list
        [email protected] <mailto:[email protected]>
        https://www.ietf.org/mailman/listinfo/oauth
        
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>




_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to