+1 on doing PoP work in this working group, including HTTP signing/MACing, I don´t think the old HTTP signature document was that far from useful.
With the ACE work I like when it is possible to just map work done in the OAuth and other working groups to the more optimized protocols. Some would maybe say that it is sub-optimal that the protocol was not initially designed for the constrained environment but I think the benefit of concept validation from web is a bigger plus. //Samuel On Sat, Oct 22, 2016 at 7:47 PM, Justin Richer <jric...@mit.edu> wrote: > I believe that the PoP work should stay in the working group, and that > without a usable presentation mechanism such as an HTTP message signature > the whole work is pointless. I agree with Mike that we should learn from > our own mistakes — and that is precisely the direction that the current > HTTP signing draft took. As a result, the base level of functionality is > signing the token itself (with a timestamp/nonce) using the key. All of the > fiddly HTTP bits that trip people up? Not only are they optional, but it’s > explicitly declared what’s covered. Why? Because we’re learning from past > mistakes. > > I think that token binding is relying on a lot of “ifs” that aren’t real > yet, and if those “ifs” become reality then it will be to the benefit of > large internet companies over everyone else. Additionally, token binding in > OAuth is far from the simple solution that it’s being sold as. The very > nature of an access token goes against the original purpose of tying an > artifact to a single presentation channel. OAuth clients in the real world > need to be able to deal with multiple resource servers and dynamically > deployed APIs, and the token binding protocol fundamentally assumes a world > where two machines are talking directly to each other. > > All that said, this working group has consistently shown resistance to > solving this problem for many years, so the results of this query don’t at > all surprise me. > > — Justin > > > On Oct 19, 2016, at 11:45 AM, Hannes Tschofenig < > hannes.tschofe...@gmx.net> wrote: > > > > Hi all, > > > > two questions surfaced at the last IETF meeting, namely > > > > 1) Do we want to proceed with the symmetric implementation of PoP or, > > alternatively, do we want to move it over to the ACE working group? > > > > 2) Do we want to continue the work on HTTP signing? > > > > We would appreciate your input on these two questions. > > > > Ciao > > Hannes & Derek > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth